
Uber is still fingerprinting your iPhone - sidchilling
I&#x27;m pretty sure that the Uber App is still fingerprinting your iPhone.<p>I have an iPhone 7 Plus and recently moved cities. Which means that I had to get a new phone number (my old number was really old and I didn&#x27;t want to port it to the new circle - kind of start a new life).<p>So, I deleted the Uber App, installed the new SIM card and installed the Uber app back again.<p>However, it definitely seems that Uber is still fingerprinting my iPhone and not letting me sign up with a new phone number. After signing up, it blocked my new number.<p>So, I tried again - tried with a new phone number. Deleted the Uber app, installed it back again, and Uber blocked that again instantaneously.<p>Is it legal to fingerprint iPhones after the app is deleted and installed back. I know that UUID is now legacy, and that there was a ruckus a few months back that Apple threatened to remove the Uber App if it continues to fingerprint.<p>I wrote to the Uber Support, but as usual, disclosing anything and helping out is against their policies.<p>Can any Uber and Apple engineer here throw light on this matter?
======
geoffpado
Apple provides the new “DeviceCheck” framework in iOS 11 to give Uber a
“legal” way to do this:
[https://developer.apple.com/documentation/devicecheck](https://developer.apple.com/documentation/devicecheck)

It allows them to set a bit that permanently “marks” your phone, across
installs, while protecting the user from the issues of fingerprinting. In
fact, they explicitly call this out as an intended use of the new framework:

> You might use this data to identify devices that have already taken
> advantage of a promotional offer that you provide, or to flag a device that
> you've determined to be fraudulent.

Not to say they aren’t still doing something shady, but it’s at least
theoretically possible they aren’t.

~~~
jamesmishra
Former Uber engineer here.

AFAIK this is the right answer.

Uber uses fingerprinting to prevent large-scale fraud--smartphones used to
load thousands of Uber accounts for the purposes of money laundering or
testing stolen credit cards.

On a smaller scale, fingerprinting can be used to make sure that "New Account"
related promotions aren't given out to folks abusing the system.

So no, nothing shady is going on. Device fingerprinting here is being used to
prevent others from doing shady or fraudulent stuff.

~~~
sidchilling
But, in my case, isn't this the wrong use of DeviceCheck-ing? Why is it not
allowed by Uber's policies that a user get a new phone number and make a new
Uber account?

How is that fraudulent? I tried explaining the same to the Uber support, but
they aren't ready to listen and keep replying with the same canned messages.

~~~
tedmiston
I wonder if the bit is cleared by doing a full wipe.

------
BillinghamJ
This is very simple. It was done via the advertising identifier (IDFA). If you
don’t reset it between uninstalling and reinstalling, you’re still the same
person.

This also applies to keychain data. If you uninstall an app, it’s data is
still kept in the keychain, and is accessible again after reinstalling. Not
sure how you could clear this as a user.

This isn’t fingerprinting. It is explicitly allowed by Apple.

As an aside, the new DeviceCheck system cannot be used for fingerprinting. All
it could have done is to flag your device as fraudulent pre-uninstall if they
thought you were problematic. DeviceCheck allows for the storage of exactly
two bits of data - literally four possible values. It was certainly not done
with this.

~~~
stopwhispering2
As you can see in my other comment, I think this is done by other “malicious”
Apps which unfortunately aren’t getting the same attention as Uber. Apple
Support refuses to acknowledge that any App data is left on your phone after
uninstalling. Is there anything that can be done to clean the keychain?

~~~
BillinghamJ
I was curious about the keychain issue too actually - as it seemed strange for
Apple to just leave that vector in place with no protection. Turns out they
did actually change it eventually.

As of iOS 10.3, the relevant keychain data is cleared when the apps which have
access are uninstalled.

Thus, if ALL Uber apps on the OP’s phone were uninstalled, the only
known/allowed method is via the IDFA. This is most likely since Uber has
promised to follow the rules.

If any other Uber apps were still installed though, that would also have
maintained the unique identifier. Apps made by the same “team” can share
keychain data (keychain access groups), and there is another ID - the vendor
identifier (IDFV) which will only reset if all apps made by that vendor have
been uninstalled. It may even be possible for apps to share files if under the
same team ID.

So if you know what you’re doing (resetting the IDFA), it’s pretty easy to
prevent. Just not many people do.

------
stopwhispering2
It is not the only App that probably fingerprints your phone. Whisper also
does it, despite marketing themselves as a safe and anonymous place for
vulnerable people to express themselves. It would be very helpful if anyone
could comment on how to stop them. Note that this[1] was going on more than 1
year ago

[1]
[https://news.ycombinator.com/item?id=12973748](https://news.ycombinator.com/item?id=12973748)

~~~
stopwhispering2
By the way, in the case of Whisper, it had something to do with the Apple ID.
By resetting the phone and creating a new Apple ID, it was unable to restore
the old account. This was all before iOS 11.

Edit: in another comment someone suggested IDFA and data stored in the
keychain could be used to fingerprint you, even after you reinstalled an app.
This makes a lot of sense.

------
quickthrower2
Lyft is your friend here.

------
sidchilling
OP Here: So, is there any solution how can I start using the Uber app again?

Uber support doesn't seem to care what the issue is and keeps telling that
they can't do anything about it.

I don't have any other Uber apps installed on my phone, can get a new phone
number to signup.

~~~
tedmiston
Have you tried a full erase and OS reinstall?

~~~
sidchilling
Haven't tried it. Will I be able to restore from backup after this, though?

~~~
tedmiston
Yeah. Preferably a local backup vs iCloud.

~~~
sidchilling
Nope, this still does not work.

I restored my iPhone to factory settings which erased the OS and then re-
installed the updated iOS11 (I was on iOS10). I restored the phone from my
local backup, downloaded Uber and tried to sign-in with a new phone number,
but still no luck.

The Uber app throws me back to the sign-up screen after signing up and
entering my name, etc.

------
jrowley
Maybe you could do a full restore of iOS to get around the issue? If you could
jailbreak, there might be a workaround as well, but as far as I know, there
isn't a jailbreak available for iOS 11.

------
codesternews
It is very simple if they are storing some identifier in keychains. Keychain
items persist between the app install. There are a lot of apps which do this.

~~~
BillinghamJ
Not since iOS 10.3

------
ComputerGuru
Of course they are. A leopard does not change its spots.

