Specal iPhone permission let Uber app see iPhone screen even when app not running

Security researcher Will Strafach found Uber’s app enjoying an unusual Apple iOS security permission not used by any other app. Called com.apple.private.allow-explicit-graphics-priority, this permission allowed Uber’s app to see what was on the user’s screen even if the Uber app was not active.

An Uber spokesperson explained the purpose of this security permission: “It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app.” The spokesperson continued: “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering.”

Uber indicated that it used the entitlement only in version 8.2 of its app, and that a subsequent update from Apple fixed the memory issue for Apple Watch and made this workaround unnecessary.

Misrepresented its monitoring of employee access to data, steps taken to secure data

In a press release, the FTC summarized its privacy-related complaint against Uber.

For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”

In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”

The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.

Driver names and license numbers improperly secured

In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.

The New York Attorney General described the breach and Uber’s handling of the situation:

The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”

As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.

A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.

Tracked driver activity on Lyft servers

News site The Information in April 2017 reported that Uber built a program it called “Hell” to track how many Lyft drivers were available, where they were located, and whether they drove for Uber also.  Uber then targeted these drivers with special promotions to encourage them to use Uber only.

By all indications, Uber collected data for “Hell” by connecting to Lyft’s servers in a manner prohibited by Lyft’s Terms of Service.

The Information reported that Uber then-CEO Travis Kalanick personally praised the Hell team, saying that they demonstrated Uber’s culture in their willingness to “hustle” in order to win.

In September 2017, the Wall Street Journal reported the FBI investigating Uber’s “Hell” practices.

Bloomberg reports that Hell was overseen by Joe Sullivan, Chief Security Officer of Uber, through a team formerly known as Competitive Intelligence.

See also the “Surfcam” program whereby Uber tracked data from Grab.

“Fingerprinting” iPhones to track reinstalls

In 2015, Uber added code to its iPhone app to recognize when it had been deleted on a phone, then reinstalled.  The New York Times said this method “violated Apple’s privacy guidelines” and reported that Uber CEO Travis Kalanick was summoned to meet Apple CEO Tim Cook, who insisted that Uber cease the practice or be removed from Apple’s App Store.

Tracked users when app runs in the background

A May 2015 change in Uber’s privacy policy allows the company to access users’ locations even when the app is running in the background.  Uber described this as “get[ting] people on their way more quickly.”  But it also sharply increased the private information sent to Uber.

Details in a 2015 complaint from the Electronic Privacy Information Center, submitted to the FTC.  Recode in June 2017 reported the FTC opening an inquiry.

“God View” let Uber staff see any passenger’s activity

An Uber employee told a visiting journalist that he had tracked her, leading her to uncover an internal company tool called “God View” that let Uber staff see the travels of any passenger including both real-time and historic location, all without the passenger’s knowledge.

Uber granted job candidates provisional access to the same customer location data provided to full-time employees.  One candidate reported having this access for an entire day, even after the interview ended.  He admitted searching for records of people he knew, including politicians’ relatives.

User also displayed customer data to members of the public invited to its premises.  At a 2011 party celebrating Uber’s launch in Chicago, Uber let guests visually track passenger rides, without users’ permission or knowledge.

Hired a private investigator to investigate litigation adversaries

Uber hired a private investigator to interview friends and colleagues of Stephen Meyer, plaintiff in class action litigation against Uber, as well as Meyer’s attorneys.  Interviewing acquaintances and professional colleagues, the PI falsely claimed to be “profiling top up-and-coming” leaders and conducting “real estate market research.”  When plaintiff’s counsel learned about these inquiries and asked Uber’s counsel whether Uber had hired a PI, Uber attorneys claimed “Whoever is behind these calls, it is not us.”  But as evidence mounted, Uber eventually admitted to having initiated the investigation.

In criticizing Uber’s decision to “hire unlicensed private investigators to conduct secret personal investigation of both the plaintiff and his counsel” as well as the “blatant misrepresentations” and “false pretenses” of the investigation, federal judge Jed Rakoff found “sufficient basis to suspect that Ergo had committed fraud in investigating plaintiff through the use of false pretenses” and that Uber’s instructions had furthered the fraud.  Uber paid an undisclosed sum to plaintiff and plaintiff’s attorneys to resolve this misconduct.

Rakoff’s decision indicates that Uber’s investigation of Meyer and his attorneys was initiated by Uber then-General Counsel Salle Yoo who sought assistance from Chief Security Officer Joe Sullivan.

Private investigator’s report.  Uber staff communicated with private investigator using Wickr, a self-deleting messaging app, though some messages were recovered during subsequent litigation.

Analyzed customers’ “Rides of Glory”

Uber staff analyzed passengers’ rides to and from unfamiliar overnight locations to chronicle and tabulate one-night-stands.  Uber explained the methodology: “A RoGer [Ride of Glory user] is anyone who took a ride between 10pm and 4am on a Friday or Saturday night, and then took a second ride from within 1/10th of a mile of the previous nights’ drop-off point 4-6 hours later (enough for a quick night’s sleep).”

Uber counted the number of such users in various cities, then assessed the most common such neighborhoods and which weekends have the most ROG’s. Uber published the analysis, including highlighted neighborhood maps, on a corporate blog.

Who’s Driving You? preserved Uber’s since-deleted “Rides of Glory” blog post.