Taxi-rival Uber has been getting a lot of bad press lately. Not only has it angered traditional cab drivers who see their jobs threatened by substandard operators, but scandals such as using ride metadata to determine the frequency of its customers overnight sexual liaisons, and an Uber senior executive’s suggestion that the company dig up dirt (‘personal lives, your families’) to discredit journalists critical of the service, have seriously damaged the company’s reputation.
A security researcher has now analysed the permissions the Uber Android app asks for ‘by viewing the “AndroidManifest.xml” file inside the APK’.
A thread on Ycombinator explains what these permissions mean in more detail:
- ‘Accounts log (Email)
- App Activity (Name, PackageName, Process Number of activity, Processed id)
- App Data Usage (Cache size, code size, data size, name, package name)
- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
- GPS (accuracy, altitude, latitude, longitude, provider, speed)
- MMS (from number, mms at, mmss type, service number, to number)
- NetData (bytes received, bytes sent, connection type, interface type)
- PhoneCall (call duration, called at, from number, phone call type, to number)
- SMS (from number, service number, sms at, sms type, to number)
- TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
- WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
- WifiNeighbors (bssid, capabilities, frequency, level, ssid)
- Root Check (root staus code, root status reason code, root version, sig file version)
- Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)’
In other words, the app is collecting large amounts of intimate information on its users’, including call history, GPS location data, device ID, WiFi networks connected to and more, and sending it back to Uber.
Researcher ‘Joe’ notes that,
‘Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow uber accedes to my phone calls and sms messages. Bad NSA-Uber.’
Interestingly, Ycombinator poster dmix observes that users are not asked for SMS permissions, even though they are taken by the app.
Joe then reversed engineered the Uber app’s code, and was alarmed to discover that it checks to see if the device is rooted and if it’s vulnerable to the Heartbleed bug,
‘Why the hell would they need this? I know I keep asking questions, but here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff.’
Uber spokeswoman Lara Sasken commented on issue by releasing the following statement to Cult of Mac:
‘Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.’
Re/code notes that competitor Lyft’s app asks for substantially the same permissions, and highlights Google’s policy of encouraging Android app developers to grab as many privileges as possible as possibly being a root cause of the problem,
‘Where Apple and Microsoft discourage developers from accessing data, Google has set up a situation where developers are incentivized to ask for more access than they need, and to do it up front.’