If you are an iPhone user and use Uber app, you would be surprised to know that widely popular ride-hailing app can record your screen secretly.
Security researcher Will Strafach recently revealed that Apple selectively grants (what’s known as an “entitlement“) Uber a powerful ability to use the newly introduced screen-recording API with intent to improve the performance of the Uber app on Apple Watch.
The screen-recording API allows the Uber app to record user’s screen information even when the app is closed, giving Uber access to all the personal information passing through an iPhone screen.
What’s more? The company’s access to such permission could make this data vulnerable to hackers if they, somehow, able to hijack Uber’s software.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach told Gizmodo, who first reported about the issue. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
Shortly after the public disclosure, Uber said it would remove the entitlement code from its iPhone app’s codebase that lets the ride-sharing app record the screen even if running in the background.
Although it’s unclear when or for how long Uber’s iPhone app has had this permission, Uber spokesperson said in a tweet that the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch could not render maps.
However, due to upgrades to Apple Watch and the Uber app, the company does not need this permission anymore.
According to Strafach, the entitlement is “com.apple.private.allow-explicit-graphics-priority” app permission that allows developers to read and write to part of the iPhone’s memory to access the device’s screen data.
Nearly every iPhone app uses entitlement in an effort to enable features like the camera or Apple Pay on iPhones and iPads. However, according to Strafach, Apple does not often grant “sensitive” entitlements to non-Apple apps.
Strafach said he could not find any other app on the Apple’s official App Store that has the permissions that the Uber app has.
Although there is no evidence that Uber ever misused the entitlement, this special permission could have been exploited to perform a wide range of activities on an iPhone, such as recording passwords, monitoring users and harvesting other personal information, Strafach explained.
Apple has not yet responded.
This is not the first privacy concern surrounding Uber. Late last year, the ride-hailing company was found tracking its users’ locations even after their rides ended.
Uber was also in controversies at the mid of last year for monitoring the battery life of its users, as the company believed that its users were more likely to pay a much higher price to hire a cab when their phone’s battery is close to dying.
- Uber fined $1.1 million by UK and Dutch regulators over 2016 data breach
- After Getting Hacked, Uber Paid Hackers $100,000 to Keep Data Breach Secret
- Uber Paid 20-Year-Old Florida Hacker $100,000 to Keep Data Breach Secret
- New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
- ‘iTunes Wi-Fi Sync’ Feature Could Let Attackers Hijack Your iPhone, iPad Remotely