A security company has found businesses that use Uber for their employees are risking having their private data exposed.
Uber updated its software at the end of last year, which triggered controversy for allowing it to track locations of users well after their ride had ended.
That prompted tech security firm Appthority to analyse the flow of data in and out of the Uber app, and it reported that the latest app displayed a range of “risky behaviours” that were more of a concern than in previous versions.
A major worry was that the newer versions of the popular ridesharing app no longer enforced an encrypted connection, through secure sockets layer (SSL) technology, to send data back and forth — meaning it is exposed to snooping by third parties.
“It’s unclear why Uber removed SSL support and important to note that not using proper data encryption during network transmission may lead to man-in-the-middle attacks or the disclosure of important information to unintended parties,” the report read.
This vulnerability, combined with Uber’s recent ability to track location information outside of actual rides and access personal information on the phone, meant that business-sensitive information was at risk of falling into the wrong hands.
“Uber has the ability to track location not only for C-level executives but also for salespeople, developers and other enterprise employees whose location could signal some activities that they don’t want revealed for business reasons,” stated the report.
“Employee location is very important business information and it becomes more valuable when other contextual data are added. For example, Uber can access not only the location of a meeting, but also the meeting agenda (by accessing calendar) and the meeting attendees and their contact information (by accessing address book).”
Appthority’s report demonstrated the potential corporate impact with a hypothetical.
“For instance, location data could show a C-level executive going to a cancer clinic. Terminal illness of a C-level executive can affect stock prices,” the report read.
“While this additional data sharing adds convenience, it also increases the risks that private data is shared with unintended or unknown parties, especially if the data is shared insecurely.”
Business Insider contacted Uber Australia but it declined to comment on the record.
The security company had three recommendations for businesses concerned about Uber’s data handling practices:
- For enterprises for which the risks described above are deemed unacceptable, the Uber app can be blacklisted for all users or only for privileged users or another select group that may be more high risk targets.
- If the enterprise security team chooses not to blacklist the Uber app, they can educate employees to turn off location services for the app. Uber will still function, the user just has to type in the pickup address. Users may choose to do that anyway to avoid the post-ride location tracking.
- As a general best practice, enterprises should educate their employees that it is best not to give access to apps which request access to another app unnecessarily. If access has already been given, the user can revoke the access by going to the user’s settings page on the Uber website, as follows: Go to “https://login.uber.com/login”. Under Profile > Connected Accounts, a list of apps connected to their Uber account is shown. Users can simply disconnect them by clicking “Disconnect”.