Giving least respect to user's privacy and security, global smartphone giant Apple iOs platform allowed Uber to record screen of the users who have installed Uber App on their smartphone, even when they were not accessing the app. According to security researchers, Uber's iOS application has the permission to record users' screens, and anything on it including passwords, messages or any other critical information. Though, the researchers suggest that this is to make the Uber app work more efficiently and smoothly with Apple Watch.
Apple iOS allowed Uber to run a powerful tool called – entitlement which is a snippet of code that can be used to perform various activities like setting up push notification, enable in-app payments, or interact with Apple's iCloud other than recording the entire screen of users even when the app is running in the background. Researchers claim that they found no other third party apps other than Uber that had this kind of “private sensitive entitlement”.
Although the entitlement isn't intended for any malicious purpose, researchers worry that an unethical hacker who manages to break into Uber network might also get access to these sensitive permissions. This could lead to breach into a user's critical data as it would aid a hacker in getting access to users' passwords, bank account details, private messages and much more.
After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. According to an Uber spokesperson, Uber required this permission for an older version of Apple Watch to run a heavy lifting of rendering maps on user's smartphone and then send it to the Apple Watch application. Further, they said that the permission was not used for anything else apart from rendering maps.
“This move by Uber and Apple has opened up its users to a massive privacy risk. Even if Uber doesn't have any ulterior motive and the special ‘entitlement' is only for rendering the maps, malicious hackers if gain access to the internal controls in Uber could spy on users at mass,” said Ankush Johar, Director of HumanFirewall.io, a human information security awareness and preparedness firm.
“Millions of users use the application on Apple's iOS and this access could be exploited gravely if in wrong hands. If a state-sponsored hacker gains access to this feature, it could give a spying agency whether governmental or private, complete access to the targets daily activities including precise location, complete conversations on even the most encrypted channels and all secure passwords that the target is using. It is like a dream-come-true for any spying agency and, to get it, all they got to do is gain access into Uber's internal controllers and get hold of the databases where this data is being stored or catch it live in action. On the other hand, all a cybercriminal has to do is to gain such access into Uber's network and agencies, all around the globe will be ready to pay big sums in the underground market for such deepened access to mass user data. It's unknown if a hacker or a group has been able to compromise Uber to such a level but if they have, all Uber users on iOS are at extreme risk,” he added.