
Your Uber Tracking Device Is Now Active - GregoryVPerry
https://medium.com/bread-and-circuses/your-uber-location-tracking-device-has-been-activated-781a7e6df394
======
wallamoster
This is the same guy that got shut down for being a dick 4 days ago, seems
like he's really trying to "get back" at Uber.

[https://news.ycombinator.com/item?id=16000550](https://news.ycombinator.com/item?id=16000550)
[https://hackerone.com/reports/293359](https://hackerone.com/reports/293359)

~~~
ashare80
The latest update to the post is pretty funny though. An ear scanning device?!

Let's see how long it takes OP to realize he opened the app and it persisted a
location Thu Nov 30 2017 20:04:08 ("gps_time_ms":1512072248998) when location
service were turned on.

------
willstrafach
This is not possible if you have not granted Location Services access, due to
the nature of how iOS works.

This only shows that a coordinate pair is being sent to the Uber API, which
may have been cached from a time in the past, such as last time a ride was
requested. The author counters this only by driving away in attempt to “reset”
it, but instead of sniffing the traffic to see that the headers changed to
reflect the new coordinates, they reached their conclusion by returning home
and sniffing the traffic and saw that the coordinates remained the same.

For this to work as described, something in iOS would have to be incredibly
broken.

~~~
mxxx
He hasn't really done much to prove conclusively that it's not just
coordinates associated with his wifi SSID.

> there is a red push pin right on top of literally the room I am sitting in
> in the house using Google Maps Satellite View.

why not step outside and try again, see if it moves. or is that room just
where he spends most of his time with the phone location services turned on
connected to wifi...?

~~~
SilasX
You're both technically right, but you're writing in a way that suggests his
article is somehow without basis or not something to worry about; but it's
just the opposite.

It seems he's pointing out that, even if you turn off location services, any
app can just get around that by locating you via wifi. Isn't that worrisome,
even if not unique to Uber?

~~~
willstrafach
I fully understand your point, and it is indeed a problem. In fact I have
personally called out other apps for this:
[https://www.washingtonpost.com/news/capital-weather-
gang/wp/...](https://www.washingtonpost.com/news/capital-weather-
gang/wp/2017/08/23/security-researcher-discovered-accuweather-app-tracks-and-
shares-your-location-even-if-you-opt-out/)

Thing is, possibly as a result, Apple blocked ARP access in iOS 11. You can no
longer get the BSSID and use that to get user location. Because the post
indicates he used an iOS 11 device, this leads me to believe the coordinates
were also not obtained with Wi-Fi information.

------
floatingatoll
The point isn’t how it gets the coordinates. It’s that the User disabled
Location Services, which means that the User’s expectation (on Apple’s
platform) is that the app will _not_ locate the User, regardless of whether it
theoretically can do so with GPS, WiFi, or a stellar sextant.

~~~
mcguire
Assuming the app is sending an old, cached location, why would they want to do
that?

~~~
ashare80
The simplest explanation is that it is used for sharding. (Uber iOS dev)

~~~
solarkraft
And the real one?

------
RileyJames
“So I managed to get something working this afternoon on my own iPhone which
isn’t Jailbroken, including a functioning bypass of the certificate pinning
protections included in the most recent Uber app running on iOS.”

Does anyone know the method for doing this? 1) without jailbreaking and 2)
bypassing certificate pinning on iOS.

------
stuntkite
I'm pretty sure the app can be pulling his coordinates from anycast GeoDNS or
a number of other things. It's creepyish, but not that weird. It's a location
based app, you told them not to use your GPS, they are probably going to use
the other tools they have to make sure they can deliver the experience they
want to.

I'm not saying it's right, just saying that it exists and everyone has a lot
of down to the street location information about you all day.

------
BoorishBears
>How am I intercepting certificate-pinned Uber app traffic on un-Jailbroken
11.2.1 iOS? Answer: I don’t think I am interested in any further pro bono
security consulting for Uber at this point.

Bringing up compensation, even in a round about way like that "pro bono"
qualifier, sounds like a great way of getting chased for extortion.

~~~
willstrafach
The answer is likely a non-issue, such as some connections not being pinned
and possible to intercept if you install a custom root CA on your device.

The submitter mentioned something along these lines, if I understand
correctly, in his only other HN submission.

