Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen
When the Apple Watch was first released, Apple gave Uber what’s known as an “entitlement” to run a special API to improve performance of the Uber app on the wrist worn device.
That entitlement made headlines today when security researchers told Gizmodo that Uber could have used it to record a user’s iPhone screen even with the Uber app just running in the background.
In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn’t render maps.
“It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app,” an Uber spokesperson told Gizmodo, saying that early Apple Watches couldn’t handle this process alone. “This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase.”
The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to both the statement given to Gizmodo and a tweet from Uber head of security and privacy communications Melanie Ensign.
According to security researcher Will Strafach, who first brought attention to the issue, Apple does not often give out entitlements. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.
API was used to render Uber maps on iphone & send to Apple Watch before Watch apps could handle it. It’s not in use & being removed. Thx!
— Melanie Ensign (@iMeluny) October 5, 2017
Strafach says there is no evidence that Uber ever misused the entitlement, but it could have been utilized to monitor activity on an iPhone, recording passwords and other personal information. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” another security researcher, Luca Todesco, told Gizmodo.
Uber says the app is no longer connected to anything in the company’s current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.
Discuss this article in our forums