Apple gave Uber access to a powerful tool that allows the ride-hailing giant to record everything on your iPhone’s screen even if the Uber app is only running in the background, security researchers discovered.
The potentially invasive recording capability was allegedly setup because early versions of the Apple Watch weren’t able to handle map rendering on the Uber app. Apple granted Uber access to a rare private “entitlement,” a piece of code that gives developers the ability to add specific capabilities to their iOS app, like set up push notifications or use Apple Pay.
Uber’s track-record has people concerned that the company, or anyone with access to its network, has been secretly recording iPhones. As Gizmodo points out, the permission theoretically gives Uber the ability to snatch passwords, usernames, credit card numbers, or any other personal information someone puts into their iOS device. It’s unclear why Apple gave Uber special permission, but it’s worth pointing out that the ride-hailing company was prominently featured in Apple’s 2015 Apple Watch keynote.
That same year, Apple CEO Tim Cook had a stern talk to then-Uber CEO Travis Kalanick after he discovered Uber was tracking iPhones even after its app was deleted. At the meeting, Cook threatened to remove Uber from the iOS App Store. And just last month, the FBI started investigating Uber for the “Hell” program it used to track Lyft drivers.
“Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilize certain privileged system functionality,” Will Strafach, a security researcher who discovered the situation, told Business Insider.
Strafach said after sifting through “tens of thousands” of apps, he couldn’t find another that contained the entitlement called “com.apple.private.allow-explicit-graphics-priority.”
Uber confirmed the tool’s existence but told Gizmodo it was only active for version 8.2 of its app. Uber claims it’s now working with Apple to remove the API because newer versions of the Watch don’t need it.
H/T Business Insider