Uber’s iPhone app has a secret backdoor to powerful Apple features, allowing the ride-hailing service to potentially record a user’s screen and access other personal information without their knowledge.
The existence of Uber’s access to special iPhone functions is not disclosed in any consumer-facing information included with Uber’s app, despite giving the company direct access to features so powerful that Apple almost always keeps them off limits to outside companies.
Although there is no evidence that Uber used this access to take advantage of the iPhone features, the revelation of the app’s access to privileged Apple code raises important questions for a company already under investigation for a variety of controversial business practices.
Uber told Business Insider the code was not currently being used and was essentially a vestige from an earlier version of its Apple Watch app, but it set off alarm bells among experts.
“Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they have needed to let their apps utilise certain privileged system functionality,” Will Strafach, a security researcher who discovered the situation, told Business Insider.
Here’s how it works
Nearly every iPhone app uses what is called an “entitlement” — basically a way for software to enable features like the camera or Apple Pay on iPhones and iPads. Most of these can be easily found and officially turned on by outside app developers.
But there are certain entitlements that are only used by Apple, giving the company’s own software tight integration with the iPhone. These bits are marked with names that start with “com.apple.private,” and they are are considered so sensitive that any third-party app found using them is rejected from the App Store.
After digging around in the code for Uber’s app, Strafach discovered that it uses an entitlement called “com.apple.private.allow-explicit-graphics-priority.”
“It is very odd to see Uber as the only app (I checked tens of thousands of other apps using my company’s internal dataset derived from the App Store) besides Apple’s own apps granted access to this sensitive entitlement,” Strafach said in an email. Another person said that no other of the 200 top free apps use private Apple entitlements.
Uber says Apple gave it permission to use the private entitlement, which it used for an earlier version of its Apple Watch app to render maps on the iPhone. The entitlement is not currently being used, Uber says.
“Apple gave us this permission because early versions of Apple Watch were unable to adequately handle the level of map rendering in the Uber app,” Uber representative Melanie Ensign told Business Insider. “Subsequent updates to Apple Watch and our app removed this dependency and we’re working with Apple to remove the API completely.”
Lot of other iOS developers would like special access to private Apple entitlements for both legitimate and illegitimate purposes.
The one Uber was using, for example, could be used to record a user’s screen, Thomas Jansen, founder of security research company Crissy Field said. “Imagine any app would be able to use an entitlement like that and just record your screen without you knowing,” he said. That’s why Apple doesn’t allow just any company to use private entitlements.
Apple didn’t comment. But one reason why Apple may have let Uber use this sensitive piece of code — which likely would have needed to have been approved by senior management — is because the Uber app was demonstrated on-stage when it launched the Apple Watch in 2015 and Uber was a launch app for the Apple Watch.
Hard to trust
Uber has been caught violating the rules of the App Store and has a history of pushing boundaries when it comes to building software that may break legal or ethical boundaries.
After using internal Apple abilities to tag and track individual iPhone devices, even after they were wiped, former Uber CEO Travis Kalanick was summoned to Apple’s headquarters. There, he was scolded by Apple CEO Tim Cook, who in a private meeting with Kalanick threatened to pull the Uber app from the App Store, the New York Times reported.
The meeting between the two CEOs reportedly took place in early 2015, around the same time Apple launched the Apple Watch.
and there we have it! these shenanigans are likely what got Tim Cook upset with Uber (attached pics are from https://t.co/ygj739Ewvr + IDA) pic.twitter.com/BHWv6BA7PX
— Will Strafach (@chronic) April 23, 2017
“I guess there is some kind of extremely special relationship there, considering Apple granted them exclusive access to a privileged IOKit API a little while after they were abusing other unrelated IOKit APIs in violation of the App Store rules (with no repercussions at all),” Strafach surmised.
The deception apparently didn’t scare Apple: Texts published as part of a lawsuit revealed that Kalanick privately said he continued to meet with Cook, with one meeting supposedly taking place in May 2016, as well.
Apple became an Uber investor through its investment in Chinese ride-hailing company Didi Chuxing. In 2016, Didi merged with Uber’s Chinese subsidiary.
Kalanick is no longer the CEO of Uber. Uber’s current CEO, Dara Khosrowshahi, has not yet said anything publicly about the $US69 billion startup’s relationship with Apple, but has addressed the company’s rule-bending culture. A recent change to iOS, the iPhone software, prevented Uber from collecting rider location in the background without a visual signal.