To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.
The screen recording capability comes from what’s called an “entitlement”—a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
Although the entitlement isn’t intended for this, the worry is that Uber—or a hacker who managed to break into Uber’s network—could silently monitor activity on an iPhone user’s screen, harvesting passwords and other personal information. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” explained Luca Todesco, a researcher and iPhone jailbreaker. “It can potentially steal passwords etc.”
If a user happened to have Lyft installed on their phone too, the entitlement could theoretically be used to monitor how the individual used a competitor’s app—a wild theory, maybe, but not entirely outlandish given Uber’s use of software nicknamed “Hell” to track drivers who worked for both Uber and Lyft. Alternatively, it’s possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber’s app.
Uber says the entitlement was used for something far less nefarious than tracking drivers or surveilling users: improving performance in its Apple Watch app. Strafach noted that he looked for indications that the entitlement had been used maliciously and found none.
“It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app,” an Uber spokesperson told Gizmodo, saying that early Apple Watches couldn’t handle this process alone and the tool was never used for anything other than rendering maps. “This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase.”
The entitlement first appeared in Uber’s app around the time of the original Watch launch in 2015, according to Strafach. Apple only gave developers about four months before the official release of the Watch to slim down their apps and make them work on the new device, so it’s conceivable that Apple granted the entitlement to Uber in order to meet that tight launch deadline.
“Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering. It’s not connected to anything in our current codebase,” Uber’s spokesperson explained. Gizmodo asked Apple about why the entitlement was granted and will update if we hear back.
What we do know, though, is that Uber prepared its Watch app within the four-month window and was featured prominently during Apple’s March 2015 keynote about the Watch. Kevin Lynch, Apple’s VP of technology, demoed Uber’s Watch app onstage, showing how a rider could request a car and track its progress on a map, just as the app would work on the iPhone.
Although consumers might be skeptical of Uber’s privacy provisions, the company has a history of collaborating with Apple on privacy. After being wrist-slapped by Tim Cook over its device fingerprinting practices, Uber worked with Apple on the development of DeviceCheck, a fingerprinting tool used to fight fraud.
Update 10/6 at 9:45 a.m.: Uber’s spokesperson noted that the entitlement was active only in the 8.2 version of its app. A subsequent update from Apple fixed the memory issue for the Watch, and Uber says the entitlement has been dormant since then.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.