Apple gave Uber access to a "powerful tool" that could record an Uber user's iPhone screen even if the app was running in the background, a security researcher has revealed. This backdoor to powerful and "private" Apple features allowed the ride-hailing company to potentially access user information without their knowledge.
"Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilize certain privileged system functionality," Will Strafach, a security researcher who reported the issue, said.
What exactly is this latest Uber-issue
In iOS, app developers use "entitlements" that enable them to gain access to different APIs - using iCloud, giving access to Camera, Apple Pay API, setting up push notifications, and more. These entitlements in a way ensure that apps only get access to what they actually need for offering their services.
Apple also has certain private entitlements that are only used by the company itself and if a developer - no matter how established - is found using these, they are instantly rejected from the App Store, regardless of their legitimacy of such a request. Marked with names that start with com.apple.private, researchers discovered Uber using a sensitive entitlement "com.apple.private.allow-explicit-graphics-priority" and evidently with Apple's explicit permission.
Strafach, a mobile app security analyzer, said he couldn't find any non-Apple app to have been granted such a sensitive entitlement from a database of tens of thousands of apps.
"It is very odd to see Uber as the only app (I checked tens of thousands of other apps using my company’s internal dataset derived from the App Store) besides Apple’s own apps granted access to this sensitive entitlement."
Apparently granted by Apple to help Uber manage Apple Watch memory resources
This sensitive entitlement that turned out to be recording a user's screen wasn't granted to Uber to track drivers or Uber users. According to Uber, it was used to help early Apple Watches render maps and improve memory management for Uber's Watch app. In a statement to Gizmodo, Uber spokesperson confirmed that this is no longer required for the newer app versions, which is why the company is removing this API. [It is unclear why this API wasn't removed already if it was no longer required]
“It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app. This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase."
The screen recording capability could have been potentially used for nefarious reasons by criminal hackers, if not by Uber itself (wouldn't be surprising given its history). "By carefully enabling only the resource access that you need, you minimize the potential for damage if malicious code successfully exploits your app," Apple says about entitlements. This means that while Uber may actually never have intended to spy on its users and drivers (it did previously), this entitlement may have given hackers a chance to silently monitor an Uber's user's activity, including potentially stealing sensitive information.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," security researcher wrote. "It can potentially steal passwords etc."
Strafach continued to say that Apple doesn't grant "private" entitlements to app developers considering their sensitivity and NO other app has ever been able to get that access.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature. Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this."
Why such an exceptional and unprecedented access for Uber then?
Given Uber's apparently not-so-happy history with Apple that has previously actually threatened to pull the ride-hailing company's app from App Store, it is indeed curious why would Apple give Uber, and only Uber, access to a private sensitive entitlement that could enable them to record a user or a driver's screen.
As mentioned above, Uber spokesperson claims that Apple gave this permission "because Apple Watch couldn’t handle" Uber maps rendering. It is likely that the Cupertino tech giant had to give this access after it gave app developers a four-month window to develop apps for its Watch before the unveiling of the product. During the keynote in 2015, Uber took a lot of stage time when Apple showcased its Apple Watch.
Probably realizing its value as a good selling point for the new Apple Watch, Uber may have pushed Apple for this access. Some, however, don't agree with Apple's policy of only helping out big players.
I know various parties interested in having a few entitlements in their apps. But of course, "security!!!". When Uber needs em its all good.
— qwertyoruiop (@qwertyoruiopz) October 3, 2017
Given Uber's history with spying on its users, drivers, and competitors, it wouldn't be surprising if the company did use it for nefarious reasons especially considering they did ask for screen recording capabilities. "And of all the entitlements Uber could ask they go for shit that can be used to track users when app is backgrounded," a Twitter user wrote. "And Apple is OK w/ it."
For what it's worth, the company is now removing the troubling API from its codebase and Strafach says that he couldn't find any evidence if the entitlement was indeed used maliciously by the company.