Apple authorised API allowing Uber to record users’ iPhone screens
Apple often takes a strict approach to security, but an apparent slip-up authorised an API which allowed Uber to record users’ iPhone screens.
Security researcher Will Strafach made the claim saying the powerful ability would allow Uber to record the screen even when it’s running in the background.
The ability comes from what Apple calls ‘entitlements’ which allow app developers to do things requiring special privileges such as interacting with iCloud or Apple Pay. The screen recording entitlement was designed to improve memory management on the Apple Watch.
Strafach highlighted the entitlement is not common and would have required explicit permission from Apple to use. In fact, he was unable to find another app live on the App Store with the capability.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said to Gizmodo. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
On several occasions, Uber has been accused of questionable practices. For example, just earlier this year it was accused of using a 'Hell' software program for industrial espionage against Lyft. The company also recently had its license revoked from operating in London over concerns about its conduct including the failure to report drivers accused of sexual assault to police.
Uber claims Apple authorised use of the API when the Apple Watch debuted to meet deadlines to get their app working on it.
"Apple gave us this permission years because Apple Watch couldn't handle our maps rendering. It's not connected to anything in our current codebase," an Uber spokesperson said.
Following the researcher’s discovery, Uber says as the permission is no longer in use it will be removed from the app.
Are you surprised Apple provided Uber with this functionality? Let us know in the comments.
- » GDS updates best practices for building government APIs
- » SmartBear introduces Swagger Inspector to simplify API validation and OpenAPI documentation
- » Google helps developers clean up their code with Android KTX
- » Apple suffers unprecedented leak as crucial iOS source code hits GitHub
- » Mercedes-Benz provides an API for its connected vehicles