To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.
The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems such as iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store.
"It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
Although the entitlement isn't intended for this, the worry is that Uber -- or a hacker who managed to break into Uber's network -- could silently monitor activity on an iPhone user's screen, harvesting passwords and other personal information. "Essentially it gives you full control over the framebuffer, which contains the colours of each pixel of your screen. So they can potentially draw or record the screen," explained Luca Todesco, a researcher and iPhone jailbreaker. "It can potentially steal passwords etc."
If a user happened to have Lyft installed on their phone too, the entitlement could theoretically be used to monitor how the individual used a competitor's app -- a wild theory, maybe, but not entirely outlandish given Uber's use of software nicknamed "Hell" to track drivers who worked for both Uber and Lyft. Alternatively, it's possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber's app.
Uber says the entitlement was used for something far less nefarious than tracking drivers or surveilling users: Improving performance in its Apple Watch app. Strafach noted that he looked for indications that the entitlement had been used maliciously and found none.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson told Gizmodo, saying that early Apple Watches couldn't handle this process alone. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
The entitlement first appeared in Uber's app around the time of the original Watch launch in 2015, according to Strafach. Apple only gave developers about four months before the official release of the Watch to slim down their apps and make them work on the new device, so it's conceivable that Apple granted the entitlement to Uber in order to meet that tight launch deadline.
"Apple gave us this permission years because Apple Watch couldn't handle our maps rendering. It's not connected to anything in our current codebase," Uber's spokesperson explained. Gizmodo asked Apple about why the entitlement was granted but had not heard back at time of writing.
What we do know, though, is that Uber prepared its Watch app within the four-month window and was featured prominently during Apple's March 2015 keynote about the Watch. Kevin Lynch, Apple's VP of technology, demoed Uber's Watch app onstage, showing how a rider could request a car and track its progress on a map, just as the app would work on the iPhone.
Although consumers might be sceptical of Uber's privacy provisions, the company has a history of collaborating with Apple on privacy. After being wrist-slapped by Tim Cook over its device fingerprinting practices, Uber worked with Apple on the development of DeviceCheck, a fingerprinting tool used to fight fraud.