The iPhone app for ride-sharing company Uber has been allowed by Apple to access and record users screens, opening a door that would allow it to effectively spy on users.
Uber has said the functionality had a benign purpose and is no longer in use.
The functionality, Uber said, was granted by Apple to allow the app to take a snapshot of a map on the iPhone and send it to the Uber Apple Watch app because the watch, when first released, had trouble processing maps on its own, Gizmodo reported.
The functionality, however, could also be used to capture the user’s screen at any time, even when the app runs in the background.
“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” Luca Todesco, a researcher and iPhone jailbreaker, told Gizmodo. “It can potentially steal passwords etc.”
Such functionalities, normally not available to app developers, are called entitlements.
This one, however, seems special.
The code responsible for this functionality was discovered by security researcher Will Strafach, CEO of Sudo Security Group. He said he wasn’t able to find the same functionality granted by Apple to any other app.
so I checked our dataset to find out if any other app was granted a sensitive entitlement by Apple. Uber is the obly non-Apple app. https://t.co/Xc4FeAz5g8
— Will Strafach (@chronic) October 5, 2017
Gizmodo’s Kate Conger speculated that Apple may have granted the entitlement to Uber because it wanted to show that the Apple Watch had a functioning Uber app at its release. Apple only gave developers about four months to create apps before the Apple Watch started to ship in 2015, and Uber may have been hard-pressed to have the app ready before the launch.
At the March 2015 keynote about the watch, Kevin Lynch, Apple’s vice president of technology, showcased the Uber app, including its ability to show the driver’s location on a map.
Uber stated the entitlement was only used in the 8.2 version of the Uber app and remains dormant in the newer versions since the newer versions of the Apple Watch can process the maps on their own.
Melanie Ensign, Uber spokesperson for security and privacy, told Strafach in a tweet that the entitlement is being removed from the app.
API was used to render Uber maps on iphone & send to Apple Watch before Watch apps could handle it. It's not in use & being removed. Thx!
— Melanie Ensign (@iMeluny) October 5, 2017
Uber has faced scrutiny over its cybersecurity practices before. It was investigated by the FBI for using a software that reportedly tracked drivers who worked for both Uber and its competitor Lyft.