An undocumented feature in the Uber app could allow the ride-hailing company to record the screen of iPhone users, security researchers have discovered.
Mobile security expert Will Strafach uncovered a special permission granted by Apple that allowed Uber to record the screens of users, even when they weren't using the app.
Strafach posted the capability—known as an "entitlement"—to Twitter, describing the presence of the screen-recording code as "very unusual."
I wonder why Uber (appears to?) have this entitlement. new option in dev portal somewhere? https://t.co/VbknpQTlxV
— Will Strafach (@chronic) October 3, 2017
The tool could be used by Uber or a malicious hacker with access to the company's network to spy on the iPhone user, according to researchers.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen," security researcher Luca Todesco told tech news website Gizmodo. "So they can potentially draw or record the screen. It can potentially steal passwords etc."
The entitlement was granted to Uber in 2015 in order to improve the functionality of the app with the Apple Watch, according to Strafach, who is the chief executive of Sudo Security Group.
"It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
Uber says the tool is no longer in use and will be removed from the app in a subsequent update.
"We are working with Apple to remove it completely as soon as possible," said a spokesperson for Uber.
It is the latest controversy to blight Uber, coming as the company's new CEO Dara Khosrowshahi visits London in an attempt to overturn an upcoming city-wide ban on the app.
The decision not to renew Uber's license was made by Transport for London (TfL), which ruled that the firm is not a "fit and proper" company to hold a license.
The ban could have "profound negative consequences" for Uber, according to Khosrowshahi, and his mission to overturn the ruling will not be helped by revelations of this tool.
"Going forward, it's critical that we act with integrity in everything we do, and learn how to be a better partner to every city we operate in," Khosrowshahi wrote in an email to Uber employees when the London ban was first announced.
"That doesn't mean abandoning our principles—we will vigorously appeal TfL's decision—but rather building trust through our actions and our behaviour."
Uber currently operates in more than 600 cities around the world and is valued at around $69 billion.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Anthony Cuthbertson is a staff writer at Newsweek, based in London.
Anthony's awards include Digital Writer of the Year (Online ... Read more
To read how Newsweek uses AI as a newsroom tool, Click here.
