Categories
Apple Watch Developer iOS News security Software Wearables

Security researchers point out Apple-granted API that could have allowed Uber to monitor iPhone users’ activities

Last week, a controversial background API given from Apple to Uber designed to improve performance of the Uber app on the Apple Watch made headlines when security researchers told stated that Uber could have used it to record a user’s iPhone screen even with the Uber app just running in the background.

In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn’t render maps.

The company offered the following statement regarding the situation:


“It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app. This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase.”

The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to a released statement and a tweet from Uber head of security and privacy communications Melanie Ensign.

Per security researcher Will Strafech, who first highlighted the issue, Apple had given Uber access to its code base in what was known as an “entitlement”. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.

Strafech also added that there evidence that Uber ever misused the API, but added that the comply could have used the code to monitor activity on an iPhone as well as record passwords or other personal information.

“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” another security researcher, Luca Todesco, stated.

Users has said that it is no longer connected to anything in the company’s current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.

Finally, an Uber spokesperson has said that an update released on Friday removed the API.

Stay tuned for additional details as they become available.

Via MacRumors and Gizmodo