Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]
Oct 5, 2017 1:50 pm PDT by Juli Clover
When the Apple Watch was first released, Apple gave Uber what's known as an "entitlement" to run a special API to improve performance of the Uber app on the wrist worn device.

That entitlement made headlines today when security researchers told Gizmodo that Uber could have used it to record a user's iPhone screen even with the Uber app just running in the background.

In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn't render maps.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson told Gizmodo, saying that early Apple Watches couldn't handle this process alone. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to both the statement given to Gizmodo and a tweet from Uber head of security and privacy communications Melanie Ensign.

According to security researcher Will Strafach, who first brought attention to the issue, Apple does not often give out entitlements. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.

Strafach says there is no evidence that Uber ever misused the entitlement, but it could have been utilized to monitor activity on an iPhone, recording passwords and other personal information. "Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," another security researcher, Luca Todesco, told Gizmodo.

Uber says the app is no longer connected to anything in the company's current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.

Update: An Uber spokesperson said that an update released on Friday removed the API.

Tag: Uber

Top Rated Comments

(View all)

9 months ago
Apple is the one that gave them this capability. I am more upset with Apple than Uber. Was anyone told Uber was recording all actions on the device thanks to Apple?

Yet folks are upset with Uber??? Seems like Apple is in the wrong here...
Rating: 45 Votes
9 months ago

Put down the pitchforks. This is an Apple-granted entitlement.


Well I think the pitchforks need to stay raised -- just pointed at Apple. One of the features Apple uses to sell it's devices is privacy. So how the h* did it not catch this before it gave it out to Uber -- apparently some time ago. Uber has made it's share of sketchy moves but this one is on Apple. It really needs to explain how this won't happen again.
Rating: 28 Votes
9 months ago
Disappointed with Apple. Uber on the other hand has been long replaced with Lyft.
Rating: 25 Votes
9 months ago
Put down the pitchforks. This is an Apple-granted entitlement.
Rating: 23 Votes
9 months ago
This company is constantly involved in scandal. I don't know why Apple deals with it. They are dishonest, they have no integrity. Ban them.
Rating: 23 Votes
9 months ago
What the f*** Apple? Why are these APIs being enabled for 3rd part devs at all? And Uber of all people, scumbag company with alarming coding practices, not to mention the disgusting history of employee treatment.
Rating: 18 Votes
9 months ago
This reflects much more poorly on the ever “security conscious” Apple than it does on Uber.
Rating: 16 Votes
9 months ago
If Apple is issuing the "entitlement", why aren't they also vetting its use? It's like a security guard giving a known thief the keys to some of the rooms in the building but not checking what he's been up to.
Rating: 16 Votes
9 months ago
Huh !!!!??
Essentially, this backdoor could give any granted party access to anything any user does.
Isn't that exactly the backdoor that Tim assured it doesn't exist in the Nat. Security services discussion ?
Rating: 15 Votes
9 months ago
first fingering printing now this. Uber's track record is the shadiest.
Rating: 12 Votes

[ Read All Comments ]
Newer Article Older Article