A hidden feature in the Uber app could allow the ride-sharing service to record the screen of iPhone users if it wanted to, according to a recent discovery by security researchers.
Mobile app security analyzer Will Strafach detected a special, undocumented permission or “entitlement” granted by Apple that gives the Uber app the ability to spy on your iPhone without you knowing it. The special Apple permission uses features found in iOS11.
Strafach took to Twitter and shared his findings:
I wonder why Uber (appears to?) have this entitlement. new option in dev portal somewhere? https://t.co/VbknpQTlxV— Will Strafach (@chronic) October 3, 2017
According to ZDNet, the hidden feature will allow Uber to “tap into features” of an iPhone or iPad that usually require special permission by Apple to use and Uber seems to be the only third-party app with such permissions.
The specific Apple permission that allows the Uber app to gain access to your iPhone is known as “com.apple.private.allow-explicit-graphics-priority,” according to Apple expert Luca Todesco. The entitlement could allow Uber or any other app developer to read or write information to the part of the iPhone that contains pixel and display data. The “writing” part is normal because it is the function that renders graphical information that the user can see, but the “reading” function is the scary part. According to Todesco, “reading allows you to look at the device’s screen."
“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen,” Todesco told Gizmodo.
This type of feature or special permission Uber seems to have with Apple could worry many iPhone users, but according to Uber, users have nothing to worry about.
According to tech news site The Next Web, Uber released a statement regarding the recent Apple permission discovery:
“This API isn’t connected to anything in our current codebase, meaning it’s non-functional & there’s no existing feature using it. It was only ever used to render maps for an early version of our Apple Watch app, but has been dormant for quite some time,” an Uber spokesperson said to The Next Web. “We are working with Apple to remove it completely ASAP.”
In a series of tweets, Luca Todesco alludes to the idea that only big name companies have the ability to get access to these special permissions granted by Apple.
I know various parties interested in having a few entitlements in their apps. But of course, "security!!!". When Uber needs em its all good.— qwertyoruiop (@qwertyoruiopz) October 3, 2017
And of all the entitlements Uber could ask they go for shit that can be used to track users when app is backgrounded. And Apple is OK w/ it.— qwertyoruiop (@qwertyoruiopz) October 3, 2017
Although it seems that Uber has cleared up all the confusion about the discovered Apple permission granted to their app, it still leaves us wondering what other app developers have these special entitlements that allow them to see our iPhone screens.