ANALYSIS: Undisclosed entitlement allowed Uber to access to an iOS device’s frame buffer, which in turn could let the company see your screen
Uber’s seemingly endless quest to know (and potentially control) everything it could about the users of the company’s app, turns out to have had some help from Apple.
In an unprecedented move, Apple appears to have granted the ride-hailing company’s app the ability to access iOS devices’ frame buffer directly, which included the ability to see what was showing on the device’s screen. The capability was announced on Twitter by security researcher Will Strafach.
According to Strafach, the Uber app is the only instance he’s found during searches of thousands of apps that allows this. Despite its security and privacy implications, this capability was disclosed by neither Uber nor Apple. However, this is hardly the first time Uber has been found to violate its customers’ privacy and or pushed the boundaries of legality in the way its app works.
Uber screen tracking
Uber, for example, had been prevented from tracking its customers even when they’re not using the app only because iOS 11 mandates the choice to allow location services only when the app is running, which is supposed to be the default condition.
However, even with that, I’ve noticed that the Uber app sometimes seems to quietly get switched to always allowing such location services once I’ve invoked the Uber app, until I specifically go and switch it back off.
But it’s not just me. Uber also went to the extent of tracking the location of law enforcement and regulatory officials, and then providing them with a fake app that ensured they couldn’t flag down a ride with an Uber driver.
Uber also reportedly found a way to track drivers working for its competitor Lyft. This pushing of the limits and other reports of bad behavior may have come home to roost as the city of London has announced that Uber’s license to operate will not be renewed because of such activities.
In this case the access to the frame buffer was due to the inability of the Apple Watch to render maps needed by the Uber app when displaying the location of an Uber ride. Because the Watch couldn’t do the rendering on its own, the Uber app would render the map on the iOS device and send the result to the phone, already rendered.
For this to happen, Apple had to give permission for such an action, which Apple calls an “entitlement.” This means that the specific app has the ability to invoke a function that’s normally restricted for use by Apple itself. Normally, Apple doesn’t allow this and when the company finds that app developers have used its private entitlements, it will remove the app from the App Store.
Originally published on eWeek