
Uber wants access to browsing history, bookmarks, and running apps - tshtf
https://www.reddit.com/r/privacy/comments/4f1zih/uber_wants_access_to_browsing_history_bookmarks/
======
StavrosK
From a reddit comment:

> The permissions you see on the install screen are actually triggered by
> various permissions in the permission group. I've checked Ubers (there's a
> button on the web play store and you can see it in the manifest), and the
> only one from the Device and App History group they actually use is
> "GET_TASKS", or get a list of recently opened apps.

> Furthermore, on Lollipop this permission doesn't even do anything anymore.
> The relevant function in the framework has been changed and only returns
> instances of the caller's own app now. So Uber can see when you last used
> Uber. Big deal.

> Basically, this is a big fuss for nothing. Uber is not accessing your
> browser history, and if you're on Lollipop or above they can't access your
> app history either. They may do that on lower versions, but it's most likely
> to counter buggy behaviour on those older verions and not to spy on you.

~~~
matt_wulfeck
Either that's not entirely truthful, or the app permission system is totally
broken...

Need to find out when you last opened the app? "Get running apps"...?

~~~
dlubarov
This page has more detail on Android's permissions model:
[http://developer.android.com/guide/topics/security/permissio...](http://developer.android.com/guide/topics/security/permissions.html#perm-
groups)

I don't really understand the point of having fine-grained permissions (like
READ_CONTACTS), when the user only sees broader permission groups. Can someone
shed light on this?

~~~
tadfisher
It wasn't always this way. The individual permissions used to be displayed to
the user directly; newer releases of the Play Store have "streamlined" this
permissions prompt so that users see general permissions "groups", and some
permissions (such as INTERNET) are considered "not dangerous", requiring a
click on the "See all permissions" button to view everything the app requests.

I imagine it's because Google recognized the general insanity of the system,
and presenting fewer "scary" permissions improved conversion rates.

Then they threw the whole system out with Android 6.0, moving to a much more
sane flow for everyone involved, where the user is able to grant or deny
individual permissions at runtime.

~~~
taneq
> I imagine it's because Google recognized the general insanity of the system,
> and presenting fewer "scary" permissions improved conversion rates.

Because the way to fix "apps can demand a laundry list of permissions and
users can only take it or leave it" is to sweep it under the rug?

A sane way to do it would be the way browsers deal with location data: "App
[appname] is requesting permission to access [resource]. Allow always / allow
/ deny / deny always?"

~~~
dlitz
That's how it works in Android 6.0 (Marshmallow) and above.

~~~
anowlcalledjosh
Kind of, but you still get the situation where an app wants to get your IMEI
to identify the device, but is forced to ask for permission to 'phone', which
the user promptly denies because that also allows the app to make phone calls.

~~~
xorcist
What does an app want my IMEI for? How do they work on non-cellular tablets
(and PCs) which doesn't have one?

~~~
mderazon
Lots of apps use IMEI as a unique device identifier on Android. A practice
that is discouraged by Google. Anyway, since 6.0, developers should find a
different way to udid. One alternative is Advertising ID which doesn't require
any special permissions but is resettable by the user (though not easily found
in the system's settings)

[http://developer.android.com/google/play-
services/id.html](http://developer.android.com/google/play-services/id.html)

------
liquidise
Multiple comments here parroting the "this is a non-issue on Lollipop or
later" defense. Per Android's own statistics [1], that leaves 60% of users
vulnerable to excessive permissions.

1:
[http://developer.android.com/about/dashboards/index.html](http://developer.android.com/about/dashboards/index.html)

~~~
0xmohit
Regardless of whether it's a non-issue on Lollipop (or later) or not, it
exhibits the intent of Uber.

And google is no less:
[https://www.privateinternetaccess.com/blog/2015/06/google-
ch...](https://www.privateinternetaccess.com/blog/2015/06/google-chrome-
listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/)

~~~
morgante
No, it really doesn't. It's a fundamental flaw in the earlier Android
permissions model that it requests so much.

Uber doesn't try to pull anything like this on iOS.

~~~
ryanwaggoner
To be fair, there is zero ability (outside of undocumented and forbidden
private APIs) for an iOS app to even request access to browsing history,
bookmarks, or app history.

------
makeramen
Uber engineer here. These permissions were mistakenly introduced by an
engineer on the team who thought a 3rd party library needed them when in fact
it does not. We definitely do not need or want those permissions and we’ve
promptly released new versions to the Play Store that do not request them.
Please upgrade to Uber app version 3.98.3 (3.99.2 in the beta channel) which
no longer requests the extra permissions.

~~~
dredmorbius
_1\. Thanks and good on Uber for correcting this, and communicating this
publicly._ That's excellent goodwill, and something the company could use more
of. Now make sure this doesn't happen again.

 _2\. The change likely would not have been made had people not complained._

 _This is why I am reporting excessive Android permissions requests, both to
developers and publicly._ I've succeeded in having several other instances of
expansive permissions requests rolled back. Others not so much (e.g.,
Wikipedia).

3\. I'd argue that this _only further highlights_ how broken the Android
permissions systems are if applications can request unnecessary _and highly
dangerous and invasive permissions_ without the awareness of the authors. I
love a few things about my Android device, _but few of them specifically
pertain to Android_.

4\. As I've mentioned already: _Google need to reintroduce their applications
permissions blocking tool which was released AND WITHDRAWN in 2013._ For _all_
prior versions of Android.

 _5\. Someone really needs to kick Google 's ass_ with a a) Free Software b)
user-first c) privacy-respecting d) security conscious operating system for
small mobile devices. Maybe Microsoft can be talked into funding Ubuntu Mobile
or FirefoxOS.﻿

~~~
fabulist
> 5\. Someone really needs to kick Google's ass with a a) Free Software b)
> user-first c) privacy-respecting d) security conscious operating system for
> small mobile devices. Maybe Microsoft can be talked into funding Ubuntu
> Mobile or FirefoxOS.﻿

The fellows at [https://copperhead.co](https://copperhead.co) look to be doing
solid work.

~~~
dredmorbius
Thanks, I'll take a look.

------
jarnix
This permission should just simply not exist. I had two games and an another
app. The browsing history was, in this case, used for targetting ads. I did
not need the apps and uninstalled the apps (it was around 2 years ago, on
previous version of Android I think).

The apps on Android should be sandboxed and not be given this kind of
permissions, that's all.

~~~
riprowan
Exactly. If an app requests a permission it should not need, then it should
simply be considered malware and rejected with a big 1-star review.

------
askyourmother
Very unnecessary overreach on android permissions.. Will be interesting to see
how many of the fans of uber here on hn will try to spin this.

Just forwarded to some friends, they are uninstalling the rogue app as I type
this!

~~~
jonathankoren
Isn't permission overreach du rigueur on Android? Seriously, I thought that
this was a preferred engineering pattern on Android due to platform weirdness
or something.

~~~
fahrradflucht
Yes it is/was. The problem is/was that your app stops getting auto updates if
you add permissions later. A lot of users never go into the update section and
grant new permissions and so your app stays on the version with the old
permission set for ever.

~~~
jonathankoren
I knew I wasn't just making it up, and because of that, I'm at -2.

------
sp332
My Samsung phone came with the Uber app baked into the ROM. Fortunately I know
enough to disable it, but I can't completely uninstall it. And most users will
be prompted ad infinitum to update until they give in.

~~~
hackuser
Try an alternative ROM, such as CyanogenMod or OmniROM; they omit all the
bloatware.

~~~
sp332
I have the AT&T version of the Galaxy S6 Edge, with the locked bootloader. I
can't even get root on it :(

------
fblp
After a long break from Uber I opened it up to price compare against Lyft. I
switched between the two apps and then uber offered me two free rides. It
seemed like it was detecting that I was hesitating to "come back" to Uber.

I use Android Lollipop and even if the permission didn't allow them to see I
was using Lyft, I wouldn't be suprised if they're trying to re-engage
"hesitating" users and are snooping for whatever data they can.

~~~
firebones
Could simply be based on a campaign that kicks in after a long period of non-
usage. Then again, you have the outline of a repeatable experiment here for
someone with two phones and a period of Uber exile.

------
technofiend
I've said it before but I'll say it again: this is why you create a second
throw-away Google account and use that to create a new profile on your phone
dedicated to snoopy apps. Seriously: screw anyone that thinks harvesting my
personal data is the cost I must pay for a cab ride.

~~~
electic
I don't think that will solve this particular problem. It wan't your browsing
history from the device.

What we desperately need is a UL for privacy. Just like UL tests electronics,
we need a lab to test these apps for what data they access and how they make
use of that data. Then assign a score so consumers can chose not to use
services that request unnecessary permissions and misuse your data.

~~~
swiley
No, what we need is the ability to modify the system software on our phones
easily to stop this kind of thing. On a normal Unix system you would just run
the app as a separate user (or worst case, sandbox it) but on android non of
the interfaces (or really much of anything at all) can be controlled by the
user.

~~~
alanh
That is simply not a solution that will work for more than 0.1% of the
populace. While you meant nothing wrong, your "solution" repulses me because I
don’t care about this sort of thing just for myself and other supernerds, but
for my friends and family and countrymen as well.

~~~
dredmorbius
If the means are there, solutions for the 99.9% can be created.

Look at how popular adblock's becoming.

------
dredmorbius
Google released, then withdrew, an interface for revoking and limiting
application permissions. On existing Android devices. Three years ago.

We know they can do this. We also know they don't care.

The challenge is to make them care.

[https://www.eff.org/deeplinks/2013/12/google-removes-
vital-p...](https://www.eff.org/deeplinks/2013/12/google-removes-vital-
privacy-features-android-shortly-after-adding-them)

~~~
magicalist
Yeah, it would be awesome if they would release an android update that allowed
you to revoke and limit application permissions.

[http://android-developers.blogspot.com/2015/08/building-
bett...](http://android-developers.blogspot.com/2015/08/building-better-apps-
with-runtime.html)

~~~
dredmorbius
As I understand it, that puts the onus fully on application developers, whom
users have to trust.

That's precisely the current problem.

~~~
strcat
No, it does not. Dangerous permission can be toggled off for all apps now. For
apps on the new API level, they can no longer obtain dangerous permissions at
install time. They have to trigger an OS-level prompt for the permission.
They're supposed to explain why they need it before triggering the OS prompt
and many apps did it poorly by adding an extra, meaningless prompt before the
real one. This was't done for the old API level because it would cause crashes
for permissions where data can't feasibly be faked and the user would have no
indication that fake/empty data was being used if it was the default.

~~~
dredmorbius
For Marshmallow. Which 60% of current Android users don't have _and will never
have until they retire their current devices_.

Which is why Google needs to fucking fix this _retrospectively_.

------
readams
My copy of Uber just updated and it doesn't seem to be requesting any of these
permissions. I'm on Marshmallow, and on the permissions page these permissions
are not there. Version 3.98.2 of Uber.

It's possible that these permissions are used in some obscure place in the
app. With the new permissions system, you can progressively request
permissions when you need them, so it's possible it will request these at some
point in the future, but the app seems to run OK without them.

I also disabled access to contacts, which the app does request for some
reason.

~~~
jakub_g
When you scroll to the bottom on Uber's play store page it displays this for
me: [http://m.imgur.com/ndfjQWv](http://m.imgur.com/ndfjQWv)

They request 'running apps' only from this particular subgroup. Notice the
wording on the original screenshot: 'one or more of'.

TLDR they don't request browsing history, the Android permissions screen on
update is confusing

~~~
readams
When I go to that page I see the "retrieve running apps" permission under a
category "Other." It would appear that I cannot disable the "Other" category
in the app permission configuration.

EDIT: There's another comment in the thread that indicates that this retrieve
running apps permission actually doesn't do anything on Lollipop+: it just
returns the app's own windows. Which would explain why it was moved to the
"Other" category.

------
lsc
this is why I don't use an android device as my primary phone, even though my
perception is that you get rather more bang for your buck, hardware wise, on
android phones, and even though the samsung gear VR looks like someone
implemented one of my less-realistic fantasies.

On IOS, yes, uber asks for access to my contacts list, I click 'no' and uber
works just fine (modulo the 'spam my friends' feature, which I didn't want
anyhow.)

On an android, my understanding is that I've gotta chose between giving uber
permission to spam my contacts list and simply not using uber, which is sad,
because uber is way more convenient than a yellow cab.

This contributes to the perception that because IOS is paid for up-front,
apple is willing to do things that might make apps less profitable, if it
makes those apps better for the users, but that Android, because it is paid
for by advertising, is less willing to side with the user against the app
providers/advertisers.

~~~
5ersi
This is how it works in Android 6 - permissions are requested as needed and
user can deny them individually.

Unfortunately apps have to be build against the new API, so it does not happen
automatically for old apps.

~~~
izacus
You can deny permissions individually for older apps as well.

~~~
anowlcalledjosh
They aren't capable of handling the case where they aren't given access to a
permission though, so that makes them potentially more prone to crashing.

~~~
unlinker
My idea is that if they try to access your contacts, instead of receiving a
potentially unhandled "access denied" exception, they should just receive an
empty contact list. Et cetera.

------
SG-
I don't even understand why Android would even let then happen. I can't even
think of desktop apps that try to gain access to your history or bookmarks let
alone a mobile app.

One time bookmark import is a thing I suppose, but that's different than
gaining permanent access once granted.

~~~
blfr
Desktop apps usually have access to everything on your drive or running under
the same user.

~~~
SG-
Yes, obviously it's possible for them to gain access, I'm saying I don't know
of any desktop apps that need access to any of that other than one time
bookmark importing.

~~~
jsprogrammer
For example, you may wish to use an editor or viewer on any file on your
machine.

~~~
ThisIs_MyName
Relevant username? :P

~~~
jsprogrammer
Your name? How?

------
misiti3780
It is not possible for an app to get browsing history on iOS right ? ( i have
never seen any app ask for that permission personally)

~~~
asd
You are correct. This seems like a very dangerous permission to grant to apps.

------
maaaats
I hate that AI support-replies are a thing. He sent a serious mail, and got a
bogus reply back. I've had the same issues myself with other vendors, for
instance Steam.

------
ape4
Presumably they want to see if you are running Lyft.

~~~
ludamad
And it wouldn't do anything for if you had two phones, right? This is pretty
annoying as someone who still wants to use Uber. Enough that I would consider
a competitor.

~~~
JeremyBanks
In what scenario would a person be using one phone for Lyft and one for Uber?

I use two phones, but I have both apps on both.

~~~
JupiterMoon
Drivers.

~~~
blackoil
Drivers have a different app, this is the consumer app.

~~~
JupiterMoon
They may well share code and or library dependencies which could be where the
'need' for the permissions comes from.

------
lgessler
Props to whoever's responsible for itemized permissions requests on
install/update--stories like these probably wouldn't exist without it.

~~~
rplnt
Does this recovery attempt of a bad feature deserve praise? It wouldn't be an
issue if permissions were properly implemented from the go - i.e. user had the
control over what permissions the app gets.

------
Animats
There's an Android mod which deals with apps like that. They can try to read
all the user's info, but what they get is all phony.

~~~
awqrre
that should be the default... but of course Google is complicit...

~~~
0xmohit
Given enough incentive, Google might even be willing to issue a patch to allow
permissions to apps that were not possible otherwise.

------
codedokode
So this is information about Uber app that I found in some blog:

\-------

Android Uber app code has many suspicious places. For example, it contains a
namespace "com.baidu.frontia" and classes there include such code as:

    
    
        localObject = ((TelephonyManager)localObject).getSubscriberId(); // gets IMSI 
        ((TelephonyManager)localObject2).getDeviceId(); // gets IMEI
        localObject1 = ((WifiInfo)localObject1).getMacAddress();
        public static void makeCall(String paramString)
        public static void sendSMS
    

Also there is the code that collects information about cell towers, mcc and
mnc codes, scans wifi networks.

I looked quickly through the code and it seems that those methods are never
called. They are probably just a part of a library not used in this app. Uber
mostly uses baidu maps, authorization and payment API.

~~~
onewaystreet
That code is from the Baidu SDK which Uber integrates into its app for Chinese
users.

~~~
wosos
Still suspicious nontheless

~~~
levemi
I think you're on to something, for example the Uber app probably also uses
the `true` constant in places, which could be used by `if` comparisons, and
Uber could actually be using `if` comparisons all over the place. Who knows
what sort of suspicious `if` comparisons Uber's app might be making? We don't
know, and until we do we should probably not use this app.

~~~
teamfrizz
Not sure if this is sarcasm or just strange.

~~~
hartpuff
Not sure why your post is being downvoted, when the laborious Reddit-level
sarcasm in the post you replied to is the kind of useless, non-constructive
crap I thought was frowned upon here.

------
joulesbeef
How about make apps show us the data they collect and if they dont they dont
get access to the store. Google has an pretty awesome page that lists all that
crap they collect on you and you can delete it from there.

On the google store site.. when browsing apps, there should be a tab on every
app page, where i can see a sample of what it collects and a declaration of
what it does with that data.

after installing the app, in the app manager, i should get a tab where i can
see what its grabbing from me.

right now we got strangers going into our bedrooms borrowing something they
wont tell us what it is.

and really permissions dont help a lot when it comes to this. Yeah my bookmark
dup cleaner has to access my bookmarks to clean.. so i give it the permission,
but does it keep them? does it sell them? i dont know permissions arent that
detailed. if there was a privacy tab that i could check...then i would know.

People hide nanny cams to watch the nanny. Its because they gave her
permission to have access to the house and kid and such.. the cam is like my
privacy tab. it makes sure she doesnt abuse the permissions. We KNOW she needs
access to the house and kid to do her job.. we just dont want the kid
molested. well I dont want my data molested.. So google please give me an app
nanny cam.

------
rcheu
I believe the browser history lookup doesn't work anymore (I tried recently on
5.0 I believe). Also, many of the Android permissions are unecessarily broad,
I think that really would be a good thing to fix. Oftentimes you only need
some specific function, but have to request a much broader range.

~~~
paulddraper
Examples? (Especially any for browsing history, bookmarks, or running apps.)

~~~
rcheu
Getting a list of accounts (needed if you want to integrate with Google
login), asks the user if the app can read their contacts:
[https://code.google.com/p/android/issues/detail?id=189766#c8](https://code.google.com/p/android/issues/detail?id=189766#c8).

Another example is phone state [https://arnowelzel.de/wp/en/android-and-
read_phone_state](https://arnowelzel.de/wp/en/android-and-read_phone_state)
(games use this to adjust volume to not drown out calls). There is a
replacement, but it's not well known.

------
ryan-allen
I'm really starting to worry about this as an Android user.

If I want to keep control of my privacy there are so many apps that I can't
trust to install. Even little dinky games are asking for access to contacts
and messages and all sorts of other things.

An application on a desktop computer that steals data from your email
application and sends it back to base is called "Malware". On Android, this is
called "business as usual" from what I can tell. I don't know the app
developers' reputation, I don't know anything... Except that someone in some
other country has unbridled access to my phone.

As a result there are many applications I want to use and I just don't
install.

It's not very cool.

~~~
Freak_NL
Not sure why you are getting downvoted for voicing a valid concern.

~~~
ryan-allen
Probably due to the lack of scientific rigor that I failed to produce in all
of 3 seconds, or, just general BS of an online community. Or shills, who
knows! Nobody said this was a community of rational beings.

------
brad0
Anyone who knows android dev knows this is a non issue. The permission they
request doesn't even do anything in lollipop and later. Sounds more like a bad
dev than anything malicious.

What's the saying? Never attribute to malice with what can be explained by
stupidity?

~~~
DINKDINK
>Never attribute to malice with what can be explained by stupidity

Hanlon's razor

~~~
arca_vorago
Is a logical fallacy that is overused and hardly ever true, and should be
relegated to the dustbin of intellectual discourse where it belongs.

~~~
jonathankoren
It's not a logical argument. It's more of a heuristic of human behavior, which
tends to be right. Only rarely is there someone sitting behind a large desk
making tent hands while laughing maniacally.

EDIT: On second thought, if it is a logical argument, it's a specific case of
Occam's Razor. Which is more likely? Someone made a mistake, or there is a
grand conspiracy?

~~~
nitrogen
Here's another fallacy: the fallacy of the excluded middle or the false
dichotomy. There are many alternatives on the spectrum between "mistake" and
"grand conspiracy".

~~~
mortenjorck
Exactly. These include such situations as:

\- a mistake where misaligned incentives are against fixing it

\- a questionable decision exacerbated by a mistake

\- malice on the part of an external actor plus internal incompetence
(essentially all data breaches)

------
siculars
Crazy town app permissions are what keep me from using Android. I really
wouldn't be able to install half the apps out there that ask for all sorts of
permissions that are frankly obnoxious.

------
jjuhyun007
Uber could provide much more than a point to point ride service in its current
traditional sense _if_ users are willing to give up more data. For example, it
could provide user a tour/travel experience to match with the proper driver if
it knows you are traveling. Or send you off to a nice dining experience if it
knows you are a foody, etc.

------
m52go
Just switch to the mobile web. Same capability, same interface, no intrusive
permissions requirements.

Add it to your homescreen and you even get the glorious U logo back!

[https://m.uber.com/](https://m.uber.com/)

------
asd
Sadly, 98% of folks will blindly accept this.

~~~
jsjohnst
I'd venture to guess the number is likely closer to 99.9999%

~~~
0xmohit
Right. I remember hearing from somebody about Google Now recently. The guy was
happy that it reminds him of bills etc., added that it even gets the amount
and due date from the "emails" and "reminds".

Frankly, a vast majority (99.99%+) don't care.

~~~
URSpider94
By "don't care," you mean, "are extremely delighted when Google reminds them
to pay a bill on time and avoid a late fee."

------
esafwan
I have often wondered why Android don't categorise or have some mechanism to
allow users revoke permission later. I have been a long time Android user but
recently started using iPhone. I don't like iPhone for many reasons but then
the control you have on turning on and turning off location, data
connectivity, access to photos etc from one screen is really something you
should have on all device. I felt the need of this, when Facebook asked for
permission to read my messages.

~~~
jogzden
This feature has been available on Android M for a while now. Sadly, the
fragmentation of versions running on the Android platform is the biggest
threat to its security.

------
spoiledtechie
Didn't Uber just admit to giving Feds their data on all their users?

What's the thought on Uber having access to such data as browsing and passing
that along to the feds too?

~~~
nbb
No they didn't.

~~~
spoiledtechie
Yes they did. Don't tell me know until you can learn how to Google.

~~~
nbb
Don't tell you what?

------
rvalue
I have observed on my device when i use Transit Stop to check for bus
schedule, Uber app pops up.

------
acheron
This has little to do with Uber and is all to do with Android.

Care about privacy. Use Google products. Pick one.

------
Bud
Interesting that the headline leaves out the fact that this only applies to
poor, security-less Android. Less sensational that way, I guess. (And less
accurate.)

------
awinter-py
keep the big picture in mind here. If Ü can't tell what it looks like you're
trying to do, they can't perfect clippy.

------
mortenjorck
If you are running the app on Marshmallow, with iOS-style permission requests,
in what contexts does the app ask you for these?

~~~
nevir
When you update (and the permissions have changed)

------
motti
With Marshmallow, you can just turn off or deny certain permissions. So for
most people who really want to run the Uber app, the question is really
whether it runs OK without all these permissions.

~~~
itg
Uber did this knowing very well that most people don't have Marshmallow on
their smartphone.

------
thirdreplicator
+1 Uninstalled

------
known
Are they doing it at the behest of NSA?

------
colordrops
There is definitely an Uber presence on HN doing damage control.

~~~
SquareWheel
People sure love to throw out the shill card without providing any proof.

~~~
vehementi
The fact is there are shills everywhere. It's hard to prove them in all cases.
But it is a "big" and important industry for companies to anonymously and
without accountability do damage control. There have been articles and AMA's
etc. from people who had worked for these firms and it's really disgusting.

So it's not people with tin foil hats speculating that shills might exist - we
know shills exist and are pervasive. Given that, we should have a certain non
zero belief that any given poster is a shill. Not sure what is the best way to
proceed when you know for sure that there are spies around you all the time.
That's a bigger discussion. But jumping on people as if we should have to
prove beyond a reasonable doubt that there's a shill is really counter
productive and helping "them" win.

~~~
SquareWheel
The existence of past conspiracies does not offer proof of new ones. Likewise,
the fact that shills have existed in the past does not mean they exist here
and now. The burden of proof is still on the one making the claim.

It's not only irresponsible but dangerous to take a guilty until proven
innocent approach. You should expect somebody to prove it if they're making a
claim. That's not letting anyone "win".

Look at profiles. Look for unusual voting patterns. Is it more likely that
Uber is secretly watching and manipulating a forum for hackers, or could it be
that a lot of people here actually quite like Uber as a company? Occam's razor
suggests the latter.

Or maybe - like me - this story just seems shaky as hell with people not
understanding that Android permissions (like license agreements) often over-
extend themselves. That a permission requiring X doesn't mean X is being used.
All the time we see things like "App requires contacts list" where it's only
grabbing the owner's info.

Honestly, playing the shill card is lazy and irrelevant. If you have proof,
show it -- otherwise you're just spreading FUD.

------
manu29d
Hmmm. Nobody talking about other apps that do this? Talking about Tinder[1]
for example. They require "Device ID and cell information" too.

[1]:
[https://twitter.com/manu29d/status/710883865955422208](https://twitter.com/manu29d/status/710883865955422208)

~~~
dredmorbius
"Et tu" comments without even bothering to search for earlier submissions
aren't particularly enlightening.

[https://news.ycombinator.com/item?id=11465215](https://news.ycombinator.com/item?id=11465215)

From myself in the past week. I've lobbied several app devs to remove/reduce
permissions. I've uninstalled others.

Android's privacy model sucks. It needs _retroactive_ fixes. Highlighting the
problems is how that gets fixed.

------
askyourmother
Edit: interestingly, this comment had five points before the uber fans modded
away. Easier to click down then explain rogue apps I suppose...

They were lucky they didn't try the beta version of the new forthcoming uber
app - that version wants access to the phones of all your friends, family,
neighbours, your postman, the sister of the locksmith that helped you get the
spare key last year, and the chap you met on the train to work last week
called Brian. Still, go uber!

~~~
MichaelGG
Your comment was downvoted because it doesn't add to the conversation and is
mostly nonsense ("sister of the locksmith?").

------
derFunk
Come on guys, where are the academics? Instead of overreacting please just
reverse engineer, get the facts and check WHY the Uber app actually requests
these permissions. I mean, it's still Java, so you got the source. I don't
think they're using native code or do more obfuscation than the average app
(disclaimer, haven't checked (yet)). Who's first?

~~~
Daishiman
The burden of proof on the necessity of those permissions lies in the
creators, not the consumers.

~~~
derFunk
I agree. Yet this is Hackernews, and if the creators don't do it we can.

------
nxzero
If you have any questions, you can write Uber at privacy@uber.com.

-iOS App Permissions [https://www.uber.com/legal/other/ios-permissions/](https://www.uber.com/legal/other/ios-permissions/)

-Android App Permissions [https://www.uber.com/legal/other/android-permissions/](https://www.uber.com/legal/other/android-permissions/)

~~~
tshtf
Did you read the post? He contacted privacy@uber.com.

Question: [http://i.imgur.com/K1mAtiH.png](http://i.imgur.com/K1mAtiH.png)

Scripted reply that didn't answer question:
[http://i.imgur.com/m9sWJZR.png](http://i.imgur.com/m9sWJZR.png)

Also, as mentioned in the post, [https://www.uber.com/legal/other/android-
permissions/](https://www.uber.com/legal/other/android-permissions/) doesn't
mention the new permissions.

~~~
nxzero
If I made that clear, it would be less likely others would contact Uber;
appears that I should have just let it be.

