Hacker News new | past | comments | ask | show | jobs | submit login
Uber wants access to browsing history, bookmarks, and running apps (reddit.com)
703 points by tshtf on April 16, 2016 | hide | past | favorite | 244 comments

From a reddit comment:

> The permissions you see on the install screen are actually triggered by various permissions in the permission group. I've checked Ubers (there's a button on the web play store and you can see it in the manifest), and the only one from the Device and App History group they actually use is "GET_TASKS", or get a list of recently opened apps.

> Furthermore, on Lollipop this permission doesn't even do anything anymore. The relevant function in the framework has been changed and only returns instances of the caller's own app now. So Uber can see when you last used Uber. Big deal.

> Basically, this is a big fuss for nothing. Uber is not accessing your browser history, and if you're on Lollipop or above they can't access your app history either. They may do that on lower versions, but it's most likely to counter buggy behaviour on those older verions and not to spy on you.

But once it's granted, the app can auto-update in the future and use more of that permission set.

I don't think I've changed my settings from the default and for me at least (Nexus 5, Lollipop) if an app has the same permissions set, it will update automatically, if it requests more it will prompt me to agree.

So even if the use of the permissions is innocuous now, it's bad news for the future to grant it.

> I don't think I've changed my settings from the default and for me at least (Nexus 5, Lollipop)

If you have a nexus 5 why aren't you on marshmallow?

Not OP but I found Lollipop pretty laggy and that it didn't add much I wanted, most of Google's updates come via Play now anyway. So also no reason to upgrade to Marshmallow either.

The revamped permission model is enough to make the update worth it IMO and that's not something that can be done via an app update.

Also, ART (the new vm introduced in Lollipop) was still pretty rough in Lollipop.

IIRC it even has some memory leaks ...

It is MUCH better in Marshmallow, so it is definitely worth upgrading because that's another thing where you just need to update the system.

Marshmallow fixed many of the issues in Lollipop, plus you get security updates.

And (more relevant to the discussion), you can actually disable access to individual permissions regardless of what the app requires (though on apps compiled against older sdks there's no guarantee that they won't crash, but I found that it's not an issue in practice and most apps work just fine even if you disable access to things they supposedly require).

There are many security issues fixed in OTAs.

Either that's not entirely truthful, or the app permission system is totally broken...

Need to find out when you last opened the app? "Get running apps"...?

I don't even understand why they need local access to figure this out. Poll the web API for last_login and be done with it. Surely they're already tracking and storing this kind of data on their end.

Why make a network call if the device can give you that information locally?

First, you're making a network call anyway, because that's what apps do, so the data is implicit. You simply group by user id and subtract the timestamps of the requests.

But let's say for some reason, you can't collect app-open timestamps. What could you possibly want to do with it locally? Say, "Hey it's been x days since you last used me. Thanks for coming back!"? These are stats you want in aggregate, which means sending the data back to the servers for actual data analysis. You're not going to do that analysis -- or any analysis -- on the device, since there's nothing to compare to.

Yes, but if the data of when the app was last opened is needed to make more network calls, or to just show the user something in general, you're looking at a network call with round trip latency and a success rate <100%, vs. a device call that takes <1ms and succeeds every time.

Put the last opened time on the initial authorization response.

We could go round and round like this. Give me a concrete use case, because for the life of me I can't come up with one that isn't simply superfluous chrome.

Because Uber's primary functionality depends on network calls.

To me, it's pretty obvious they want to find out if you opened the Lyft app recently.

That's what I'm thinking. Who has competitors installed, and do they use them. Also, it does have the right amount of creep to be a plausible Uber tactic.

Doesn't uber have tight integration with other apps that could be running? e.g. Google maps?

I assume the handoff from Google Maps doesn't require any kind of check to running apps from Uber, but I am curious if it is something along these lines.

It does. The main reason I ended up uninstalling uber was because I didn't like it polluting my directions searches with adverts which didn't tell me anything I couldn't already have gotten from the driving directions

Does the app log in every time it starts up, or does it just have a stored access token that is simply supplied with future requests regardless of whether it's been 5 hours or 5 months?

Given what the uber app does when it starts up (show you a map of your locations, with data from a few uber cars moving across it), I'd bet the app essentially contacts the servers immediately when it starts.

The only this would get them is "how many times did a user try to get an uber without data connectivity" ...

Contacting servers is one thing, logging in is another. No authentication conversation needs to occur if the auth model is based on access tokens like generic OAuth flow.

And even then, you could keep that record in local storage.

It's so they can quickly switch between the most recently used maps application like Waze or Google Maps for drivers.

Please don’t state speculation as fact.

What makes you think they don't/didn't work for Uber? Seems a bit speculative to me.

OP should provide a source for their statement. But if you want to go this way, their LinkedIn profile shows they never worked for Uber.

But StavrosK just claimed it doesn't work that way. He said that it will only tell you about instances of your own app, not others (such as Waze or Google Maps).

This page has more detail on Android's permissions model: http://developer.android.com/guide/topics/security/permissio...

I don't really understand the point of having fine-grained permissions (like READ_CONTACTS), when the user only sees broader permission groups. Can someone shed light on this?

It wasn't always this way. The individual permissions used to be displayed to the user directly; newer releases of the Play Store have "streamlined" this permissions prompt so that users see general permissions "groups", and some permissions (such as INTERNET) are considered "not dangerous", requiring a click on the "See all permissions" button to view everything the app requests.

I imagine it's because Google recognized the general insanity of the system, and presenting fewer "scary" permissions improved conversion rates.

Then they threw the whole system out with Android 6.0, moving to a much more sane flow for everyone involved, where the user is able to grant or deny individual permissions at runtime.

> I imagine it's because Google recognized the general insanity of the system, and presenting fewer "scary" permissions improved conversion rates.

Because the way to fix "apps can demand a laundry list of permissions and users can only take it or leave it" is to sweep it under the rug?

A sane way to do it would be the way browsers deal with location data: "App [appname] is requesting permission to access [resource]. Allow always / allow / deny / deny always?"

That's how it works in Android 6.0 (Marshmallow) and above.

Kind of, but you still get the situation where an app wants to get your IMEI to identify the device, but is forced to ask for permission to 'phone', which the user promptly denies because that also allows the app to make phone calls.

What does an app want my IMEI for? How do they work on non-cellular tablets (and PCs) which doesn't have one?

Lots of apps use IMEI as a unique device identifier on Android. A practice that is discouraged by Google. Anyway, since 6.0, developers should find a different way to udid. One alternative is Advertising ID which doesn't require any special permissions but is resettable by the user (though not easily found in the system's settings)


> system is broken and UI is confusing, protect nothing from user even if working right.

> leave system broken but hide UI so nobody cares.

hopefully, it is just incompetence, not evil.

When it comes to Uber, I think the default is to assume malice unless we can prove it is incompetence.

Yeah, I'm afraid that in Uber's case this is what you must assume. Normally I don't default to such a state, I honestly feel that most times it's just incompetence within an organization, but in Uber's case they have been a bad actor for a long time now so they just can't be trusted.

I won't be using Uber, ever.

I'm a latecomer to this situation, what have Uber done in the past to earn that reputation? Genuine question.

Uber us quite literally a supervillain! They've done almost every despicable thing in the tech industry. Sabotage, illegal practices etc al. That's why this is actually big on HN. With uber, shoot first then ask questions later!

GP was talking about the Android permissions system, not Uber.

Do you happen to know in which version of the Play Store this change was made?

"Simplified Permissions" is a relatively new feature of the Play Store and only gives you general permission categories. It was probably changed from the older specific permissions to make it less complex for people who didn't care as much. Note that PackageInstaller still shows all permissions, which is used when clicking on an apk or using a 3rd party app store (like F-Droid). Due to backwards compatibility, this can't be changed easily at the OS level.

> Can someone shed light on this?

Whoever is in charge of the permission system is absolutely nuts. Or it's designed by the committee from hell. Those are the only reasons I can think of. No one sane would create this.

They actually wanted to "simplify" the permissions system and let the user have more control/understanding. You could argue they've done the first... at the expense of everything else. Half of it seems to have been introduced so "it bugs you less", which is not the point, I want to be bugged (by default) so I know what applications are actually doing. If users wants to "not be bugged" let them manually set it, don't make it default.

I've meant to write a post titled "Android 6 permissions: Still pants" after buying a Nexus 5X and being happy with the phone/camera but utterly disappointed with the "revamped" permission systems:

- Yes sure, because I granted an application "Coarse location data", just go ahead and automatically (WTF?) give it "Fine location data" permissions too, because hey, it's all just "location data" right? Not like I might have wanted to give it coarse and not fine on purpose...

- Want to write contacts? Here's reading too! Want to write texts? Here's reading too! Same as above really. Is the use-case of wanting an application to be able to add to my data (at my request) but never-ever read all my data really that hard to predict?

- You get an Internet, you get an Internet, every application gets an Internet. Because every application needs Internet right? It's not like I'd maybe want to install an application to manipulate a specific file type right now but don't want it connecting all over the net right? Maybe I don't have time to verify it's not nefarious. Maybe I just want control over what applications can actually phone home from my device?

- "Runtime permissions" is hit and miss. Some applications ask and then respect the answer. Others will just pop up the dialog over and over and over again until you accept it... which was not the point.

- READ_PHONE_STATE is still terrible. It's used by app/games to pause tasks when the user gets a phone call but... also gives away the number that's calling you! Of course, nearly every application then requests this. I don't get it, it's yet another obvious use case ("Let the application know the user is busy without leaking any data") that seems to have been glossed over. I thought by this point they'd have a proper IS_USER_BUSY permission that tells applications that you're in a phone call/whatever but doesn't leak any of your personal data *whatsoever".

At this point my next phone will be an iPhone/iOS, even though I don't particularly like them as at least security/sane permissions seems to mean something over there...

>Yes sure, because I granted an application "Coarse location data", just go ahead and automatically (WTF?) give it "Fine location data" permissions too, because hey, it's all just "location data" right? Not like I might have wanted to give it coarse and not fine on purpose...

Does iOS have separate permissions for the different location resolutions or distinguish reading contacts from writing contacts?

> Does iOS have separate permissions for the different location resolutions

No, and why should it? I'm a technical user and I'm not even sure what the different resolutions are. What is important is to know when an application is asking for location data. iOS permissions for location are a) Never b) Always c) While using. Those make complete sense to even normal users.

Personally I wish iOS did have more fine grained permissions. I agree with you on location but I'd really like

1) Has permission to read your contacts 2) You can access an OS level contact screen to choose a contact but the app can't read the list of all contacts 3) Has permission to write to contacts (remember when facebook changed contact to have a facebook email address? Would prefer no permission)

Photos. Currently it's all or nothing. I'd prefer

1) can write new photos 2) can read old photos

Taking a photos right now is "can access camera" where as I'd prefer no camera access for most non-camera apps (facebook) and just a way to launch a system camera. I don't want apps to have the ability to keep the camera/mic on without my knowledge but "can access camera" = can use constantly without my knowledge while app is running.

Yes I know I can get around some this by doing it manually (don't give app camera permission, swap to built in phone, take picture, do give permission see 100% of my photos, hope they aren't uploading my private photos, choose photo I just took).

It's not enough IMO especially in this age of the revealtion of all the apps that spy

> 1) Has permission to read your contacts 2) You can access an OS level contact screen to choose a contact but the app can't read the list of all contacts 3) Has permission to write to contacts (remember when facebook changed contact to have a facebook email address? Would prefer no permission)

I think 2 can be integrated into no permission passing some sort of Intent to the iOS address book framework.

Similarly, permission to read photos on a one off basis can be integrated into no permission. The user should get sent to Photos app and the photos app could ask them whether the user would like to share a particular photo or a particular group of photos with the app that sent them there and with the user's permission the iOS system app can pass the data back to the requesting app.

Sort of like what you said with

> Taking a photos right now is "can access camera" where as I'd prefer no camera access for most non-camera apps (facebook) and just a way to launch a system camera. I don't want apps to have the ability to keep the camera/mic on without my knowledge but "can access camera" = can use constantly without my knowledge while app is running.

Yes, I absolutely agree. I'd go as far as to say even Instagram doesn't need camera permission.

i am a technical user and i don't drive. so why even have roads?

On the internet permission - its a difficult business decision for Google to allow users to restrict the Internet permission. If they did, every ad-supported app would overnight become an ad-free app.

On one hand: That's a really good point. Thanks.

On the other hand: Everything can now steal my data "just" so adverts can be shown. Really?!

To me that's more outrageous than the original points I listed. My device and my data are left permanently insecure, all to protect their adverts. Even though I purposefully don't use applications with in-built advertising (because they can't be trusted with permissions), I can't easily turn this off.

This really makes my phone suddenly feel like "A rented device who's main purpose is to deliver advertisements to me" instead of "Owned device that helps me managed my life and communicate".

> its a difficult business decision for Google

It's a really easy business decision: User security, user privacy and user control are king. If each application wants to tie "functionality working" along with "internet access" and "advert was displayed" than each application can implement that for themselves. It's not hard.

That this is all baked into the actual OS instead with no (easy/toggle) method of user override is nuts.

> "A rented device who's main purpose is to deliver advertisements to me"

You don't own these devices as long as someone else has root. This kind of crap is evidence that we are loosing the War On General Purpose Computation. A lot of people are scared of the power of a general purpose computer in the hands of the general public. Computers (especially internetworked computers) allow people to see throw scams, remove artificial scarcity, and work past propaganda. When middlemen feel their power is under attack, they tend to lash out in stupid ways to counterattack the perceived threat and reestablish their position.

In the end, the general purpose computer must be made back into an appliance, and the internet back into something closer to cable TV. I don't blame the average person for falling for this scam, as they are often ignorant of the underlying technology. However, a lot of people that really should know better have been distracted with shiny baubles and keep buying into these increasingly locked-down walled gardens, when they should be setting an example and working to educate others so they have the information they need when they vote with their wallet.

That's what happens when conflicting tasks are left to the same management/company. Google's business model is not to make a secure OS or protect your privacy, it is to sell your eyeballs and data to advertisers. Any conflict between these views will usually resolve, maliciously or otherwise, toward advertising. Why do you think AppOps was removed?

I am sure there are people at Google who are tearing their hair, screaming about these issues. But management wants more money, not security or privacy.

As long as people vote with their wallet and buy Google products, they are supporting this. Yes, "I just don't care" is implicit support.

>>- Want to write contacts? Here's reading too! Want to write texts? Here's reading too! Same as above really. Is the use-case of wanting an application to be able to add to my data (at my request) but never-ever read all my data really that hard to predict?

I've configured security for a large variety of systems and I've never heard of a write-only permission. Read-only is often seen as a lesser right than read-write.

I'm sure you've heard of the UNIX sticky bit, which is used so that anyone can write a new file to `/tmp`, but without being able to access other files in the same directory. I can certainly imagine the same implementation for contacts (create new contact, see only contacts you have created) and texts (create new text, see only texts you have created).

It's more like append-only in all of these cases - think of the things you want unprivileged processes to be able to do to your logs, for instance.

The permissions system does not exist only for the user. In fact, as described here (https://developer.apple.com/library/mac/documentation/Securi...), the primary purpose of sandboxing apps is to help developers secure their apps.

"By limiting access to resources on a per-app basis, App Sandbox provides a last line of defense against the theft, corruption, or deletion of user data if an attacker successfully exploits security holes in your app or the frameworks it is linked against."

As such, from the developer's perspective the ideal permissions system should actually be as fine grained as possible to let the developers minimize the exposure of their apps. Android's permissions system was probably designed from this point of view.

Let's be cynical but real here, how many developers care or are even security aware? Here on HN, maybe most are, but out there, most people don't really have a clue or care about the user's data. As long as there is some revenue, all is "well".

This is why such things should be enforced in the OS, with a strict security model, and such shady permission overreach should be frowned upon.

That's because the permission model is back compatible.

Instead of creating a new 'access contact permission', the permissions are now bundled automatically.

That way the same manifest (where you declare a bunch of things about your app, including its permissions) can be used for both old and new devices.

As far as the manifest is concerned, it would have been easy to automatically generate the old permission list from a new permission list like {Contacts, Calendars, ...} but you would also have to create a new library to translate these new permissions to the old ones in the code (since old OS versions still only understand the permissions that existed with them) ...

It is probably easier to just keep the old permissions.

I remember having to use GET_TASKS a couple of years ago (before Lollipop) on a well known app (tenths of millions of users).

IIRC, I needed to identify a couple of states :

- when the user is on the lockscreen.

- when the user is in another app.

- when the user is in our app.

- when the screen is off.

There were business reason behind this for a complex feature, nothing to do with the user's data.

The Android team does not want android devs to access to their own app UI state because 'the business logic should not have to depend on that' ...

Fair enough in theory but in practice there are a couple of times when you just need it.

For example even the Chromecast sample uses a ugly hack to access this piece of information (put a timer behind start/stop activity events).

I remember that a coworker had to revamp this piece of code recently for Marshmallow but I don't remember the details.

Google finally has a working permission model with Marshmallow : protect the private data behind popups, everything else is fair game.

It is not perfect by any means since users still tend to click yes on any popup ... but that's the best we can do IMO.

Sure on Lollipop it doesn't work anymore but they could be trying to get some of this information from phones on KitKat and below, which are a solid chunk of the market.

Yes, it is broken, which is why it no longer exists in the install-gating form starting with Android 6.0.

It could be both. The app permission system is almost totally broken.

This sounds like a prepared PR statement to manipulate opinion and downplay the new permissions.

I made the comment on Reddit. Have never even used Uber, just a developer from Belgium. This is a question I've had this question many times before, and Android permissions are just a mess in general. The permission grouping has scared many people since it's introduction.

I think you got lost looking for /r/conspiracy

If its nothing why update the permissions at all?

Multiple comments here parroting the "this is a non-issue on Lollipop or later" defense. Per Android's own statistics [1], that leaves 60% of users vulnerable to excessive permissions.

1: http://developer.android.com/about/dashboards/index.html

Regardless of whether it's a non-issue on Lollipop (or later) or not, it exhibits the intent of Uber.

And google is no less: https://www.privateinternetaccess.com/blog/2015/06/google-ch...

No, it really doesn't. It's a fundamental flaw in the earlier Android permissions model that it requests so much.

Uber doesn't try to pull anything like this on iOS.

To be fair, there is zero ability (outside of undocumented and forbidden private APIs) for an iOS app to even request access to browsing history, bookmarks, or app history.

Actually that's backwards. Android moved to the new permission system (fewer perm groups, runtime user permission) to be more like iOS. It used to be that all permissions were granted at install time, which made apps much more likely to ask for onerous permissions because the user is unlikely to read the list or turn back.

It's likely they don't try this on iOS because iOS simply doesn't have the APIs to do this under any permission. It's a philosophical platform difference about what the user should be able to allow apps to do.

iOS applications are moderated and Apple might not want Uber to collect too much information on their users.

And what intent are you implying? Is it not possible that they request these permissions to improve the functionality of the application, and do not in fact actively spy on their users?

I'm sure that you'd be happy to provide them access to your house in order to "improve the functionality of the application".

Luckily, the real world is not modeled after Android's legacy permissions system. Your actual point?

Uber engineer here. These permissions were mistakenly introduced by an engineer on the team who thought a 3rd party library needed them when in fact it does not. We definitely do not need or want those permissions and we’ve promptly released new versions to the Play Store that do not request them. Please upgrade to Uber app version 3.98.3 (3.99.2 in the beta channel) which no longer requests the extra permissions.

> These permissions were mistakenly introduced by an engineer on the team who thought a 3rd party library needed them when in fact it does not.

What caused the engineer to be mistaken about this? What library?

Considering Uber's history, expecting people to believe a claim like: "one guy acted alone in an oopsy", without providing a more detailed report, is a bit optimistic.

If they did indeed immediately release an update that ceases asking for these permissions, then I'd say this is an entirely reasonable explanation regardless of their history.

I could be wrong, but without a real explanation, it seems more likely Uber is still convinced analyzing customer behavior in the most personally invasive ways is worth the risk, and were testing the waters, hoping a response like the OP's wouldn't gain traction the way it did.

In a company with thousands of employees, already scrutinized for privacy violations, it's hard to believe that a single engineer could ask for the most sensitive of permissions without anyone else reviewing or bumping up the chain first.

You're right that we have a very strict review process for added permissions, but unfortunately due to the way libraries and Android's manifest merger work, this change managed to slip through our standard review process. We're definitely going to add stricter enforcement to make sure something like this doesn't happen again.

1. Thanks and good on Uber for correcting this, and communicating this publicly. That's excellent goodwill, and something the company could use more of. Now make sure this doesn't happen again.

2. The change likely would not have been made had people not complained.

This is why I am reporting excessive Android permissions requests, both to developers and publicly. I've succeeded in having several other instances of expansive permissions requests rolled back. Others not so much (e.g., Wikipedia).

3. I'd argue that this only further highlights how broken the Android permissions systems are if applications can request unnecessary and highly dangerous and invasive permissions without the awareness of the authors. I love a few things about my Android device, but few of them specifically pertain to Android.

4. As I've mentioned already: Google need to reintroduce their applications permissions blocking tool which was released AND WITHDRAWN in 2013. For all prior versions of Android.

5. Someone really needs to kick Google's ass with a a) Free Software b) user-first c) privacy-respecting d) security conscious operating system for small mobile devices. Maybe Microsoft can be talked into funding Ubuntu Mobile or FirefoxOS.

> 5. Someone really needs to kick Google's ass with a a) Free Software b) user-first c) privacy-respecting d) security conscious operating system for small mobile devices. Maybe Microsoft can be talked into funding Ubuntu Mobile or FirefoxOS.

The fellows at https://copperhead.co look to be doing solid work.

Thanks, I'll take a look.

Is there a website where we can report or add our voice to apps that seem to request too much permissions. Some of the online course apps seem to do that (udemy, edx, etc).

Not that I'm aware. Maybe even just a good hashtag to start.

#AndroidPrivacy #CreepyApps #AppPrivacy


This permission should just simply not exist. I had two games and an another app. The browsing history was, in this case, used for targetting ads. I did not need the apps and uninstalled the apps (it was around 2 years ago, on previous version of Android I think).

The apps on Android should be sandboxed and not be given this kind of permissions, that's all.

Exactly. If an app requests a permission it should not need, then it should simply be considered malware and rejected with a big 1-star review.

Firefox doesn't expose its browser history to other apps whereas both Chrome and the vanilla 'Internet' browser on Android does.

This is one reason why i use Firefox on Android (another being the read-it-later feature, and option to add other search engines easily).

Well, browsing history sounds very helpful in order to create another browser and that's pretty much it.

The unfortunate thing is that it is bundled in the same group as 'running apps'.

I guess it is because Android's PMs wanted to limit the number of permissions groups but it means that many apps have to request it simply because they need GET_TASKS for old devices.

Very unnecessary overreach on android permissions.. Will be interesting to see how many of the fans of uber here on hn will try to spin this.

Just forwarded to some friends, they are uninstalling the rogue app as I type this!

Isn't permission overreach du rigueur on Android? Seriously, I thought that this was a preferred engineering pattern on Android due to platform weirdness or something.

Yes it is/was. The problem is/was that your app stops getting auto updates if you add permissions later. A lot of users never go into the update section and grant new permissions and so your app stays on the version with the old permission set for ever.

I knew I wasn't just making it up, and because of that, I'm at -2.

depends what you mean with overreach.

First : sadly most users (and I really mean most) don't even glance at the permission screen.

It makes it hard for us Android devs to push back against the product teams when they want to add a crazy feature needing a ton of permissions (I still do though and the fact that it breaks auto updates at least is a good argument... ).

The weird part of the permission system is that we have to transition from a 'designed by & for engineers system where there were a tons of different permissions that no users ever read to a granular system where you only need to ask user's permission in order to access private data.

IMO the platform is definitely moving in the right direction (if only because it apes the other platforms approach).

Pretty sure you mean "de rigueur".

yup. fixed ;)

Check again. Still needs du -> de. ;)

goddamn it. I'm firing my typist. ;)

My Samsung phone came with the Uber app baked into the ROM. Fortunately I know enough to disable it, but I can't completely uninstall it. And most users will be prompted ad infinitum to update until they give in.

Try an alternative ROM, such as CyanogenMod or OmniROM; they omit all the bloatware.

I have the AT&T version of the Galaxy S6 Edge, with the locked bootloader. I can't even get root on it :(

After a long break from Uber I opened it up to price compare against Lyft. I switched between the two apps and then uber offered me two free rides. It seemed like it was detecting that I was hesitating to "come back" to Uber.

I use Android Lollipop and even if the permission didn't allow them to see I was using Lyft, I wouldn't be suprised if they're trying to re-engage "hesitating" users and are snooping for whatever data they can.

Could simply be based on a campaign that kicks in after a long period of non-usage. Then again, you have the outline of a repeatable experiment here for someone with two phones and a period of Uber exile.

Interestingly, I had the exact same experience; opened Uber, got a ride estimate. Opened Lyft, got a ride estimate. Opened Uber again, and was presented with a promotion.

I've said it before but I'll say it again: this is why you create a second throw-away Google account and use that to create a new profile on your phone dedicated to snoopy apps. Seriously: screw anyone that thinks harvesting my personal data is the cost I must pay for a cab ride.

I don't think that will solve this particular problem. It wan't your browsing history from the device.

What we desperately need is a UL for privacy. Just like UL tests electronics, we need a lab to test these apps for what data they access and how they make use of that data. Then assign a score so consumers can chose not to use services that request unnecessary permissions and misuse your data.

No, what we need is the ability to modify the system software on our phones easily to stop this kind of thing. On a normal Unix system you would just run the app as a separate user (or worst case, sandbox it) but on android non of the interfaces (or really much of anything at all) can be controlled by the user.

That is simply not a solution that will work for more than 0.1% of the populace. While you meant nothing wrong, your "solution" repulses me because I don’t care about this sort of thing just for myself and other supernerds, but for my friends and family and countrymen as well.

If the means are there, solutions for the 99.9% can be created.

Look at how popular adblock's becoming.

Exactly. I don't get why there is no root account on most android phones. Why is "rooting" a hack that voids your warranty? Why can't we have our smartphones like our computers?

Because alternative mobile operating systems cannot compete in the same consumer space due to the duopoly of walled gardens where people expect all popular apps to be available (although I do believe that there is a niche market for a free software smartphone amongst developers).

If you treat a smartphone as a normal computer, you would expect to be able to use a service such as Uber by means of a modern web browser providing a sandbox for their web application, like you do on Linux, Mac OS X, or Windows. Installing someone's stand-alone software only to access an on-line service would probably seem invasive and absurd.

Broadly speaking, on a smartphone people probably accept this because of the trade-off. Apple and Google keep your mobile computer stable, fast, and free from viruses and malware by managing your operating system and vetting the software you can install through their app-stores. For a lot of people this trade-off seems preferable to an alternative.

That's ideal but runs counter to how Google sets up permissions today.

Android has supported multiple users for quite a while now.

Yes. But sometimes it's removed or not exposed. For example, my Samsung S5 doesn't support multi user

Sure it does: my browsing history, contacts, etc are separate and distinct for each profile. To the best of my knowledge there is no Android permission that'll let you cross that boundry. Please, if you know of evidence to the contrary please share a link to the Android docs. That would be a reason to root my phone and run a release with a privacy plugin.

There is absolutely a permission for that, it's called INTERACT_ACROSS_USERS. I suspect what you mean is 'is there a permission accessible by normal apps that can do this', to which the answer is no - the permission is signature-level, meaning the app must be signed with the same key as the OS to be able to access the permission.

I can't find a page from the official docs from my phone, but there's a list of permissions on Stack Exchange: http://android.stackexchange.com/a/38389/150855

Thank you for the correction, but my point stands: unless it's signed by Google's OS key it won't be able to cross that boundary. Although since ABC is a major investor in Uber...

Why reward those you want to screw with cash?

Just say no to an Uber install, even with a throwaway (TOS-violating) Google account.

How does using an alt account violate Google TOS?

I believe the Gmail TOS used to state that one person could only have one personal account. That has either changed, or I am misremembering.

I think you're misremembering. In fact they make it very easy to have multiple accounts and open them all simultaneously within the same gmail tab, switch between them and manage them fairly seamlessly.

I was recalling when Gmail first introduced free storage in Beta. I believe you were only supposed to have one account so that one person couldn't gain multiple GBs of 'free' storage.

Plus you can register multiple accounts with the same number.

Google released, then withdrew, an interface for revoking and limiting application permissions. On existing Android devices. Three years ago.

We know they can do this. We also know they don't care.

The challenge is to make them care.


Yeah, it would be awesome if they would release an android update that allowed you to revoke and limit application permissions.


As I understand it, that puts the onus fully on application developers, whom users have to trust.

That's precisely the current problem.

No, it does not. Dangerous permission can be toggled off for all apps now. For apps on the new API level, they can no longer obtain dangerous permissions at install time. They have to trigger an OS-level prompt for the permission. They're supposed to explain why they need it before triggering the OS prompt and many apps did it poorly by adding an extra, meaningless prompt before the real one. This was't done for the old API level because it would cause crashes for permissions where data can't feasibly be faked and the user would have no indication that fake/empty data was being used if it was the default.

For Marshmallow. Which 60% of current Android users don't have and will never have until they retire their current devices.

Which is why Google needs to fucking fix this retrospectively.

My copy of Uber just updated and it doesn't seem to be requesting any of these permissions. I'm on Marshmallow, and on the permissions page these permissions are not there. Version 3.98.2 of Uber.

It's possible that these permissions are used in some obscure place in the app. With the new permissions system, you can progressively request permissions when you need them, so it's possible it will request these at some point in the future, but the app seems to run OK without them.

I also disabled access to contacts, which the app does request for some reason.

When you scroll to the bottom on Uber's play store page it displays this for me: http://m.imgur.com/ndfjQWv

They request 'running apps' only from this particular subgroup. Notice the wording on the original screenshot: 'one or more of'.

TLDR they don't request browsing history, the Android permissions screen on update is confusing

When I go to that page I see the "retrieve running apps" permission under a category "Other." It would appear that I cannot disable the "Other" category in the app permission configuration.

EDIT: There's another comment in the thread that indicates that this retrieve running apps permission actually doesn't do anything on Lollipop+: it just returns the app's own windows. Which would explain why it was moved to the "Other" category.

Not 100% sure, but I think the access to contacts is so that you can split ride fares with other people.

> Not 100% sure, but I think the access to contacts is so that you can split ride fares with other people.

There's a standard intent to select a contact for purposes like that, and then the app only gets access to the information of that contact. Apps requesting access to contacts get all contacts.

It's actually probably so you can autocomplete a contact as a destination address for your Uber. The same is true in Maps for navigation. Unfortunately UX wins over privacy so launching an intent to pick a contact probably wasn't as elegant as using a unified autocomplete field.

Aha! So maybe they need a variety of permissions in order to apply machine learning so as to enhance the UX.

this is why I don't use an android device as my primary phone, even though my perception is that you get rather more bang for your buck, hardware wise, on android phones, and even though the samsung gear VR looks like someone implemented one of my less-realistic fantasies.

On IOS, yes, uber asks for access to my contacts list, I click 'no' and uber works just fine (modulo the 'spam my friends' feature, which I didn't want anyhow.)

On an android, my understanding is that I've gotta chose between giving uber permission to spam my contacts list and simply not using uber, which is sad, because uber is way more convenient than a yellow cab.

This contributes to the perception that because IOS is paid for up-front, apple is willing to do things that might make apps less profitable, if it makes those apps better for the users, but that Android, because it is paid for by advertising, is less willing to side with the user against the app providers/advertisers.

This is how it works in Android 6 - permissions are requested as needed and user can deny them individually.

Unfortunately apps have to be build against the new API, so it does not happen automatically for old apps.

Interesting! I hadn't heard anything about it past the 4.4.2 kerfluffle[1] I thought I looked, but maybe I haven't looked hard enough? - I've had family complain to me that they can't use uber because of the 'uber wants access to my contacts' issue.

hm. Perhaps I ought to research this; the gear VR does seem really great, especially if you can somehow wire a text editor into it. (I already have a bluetooth mechanical keyboard)


You can deny permissions individually for older apps as well.

They aren't capable of handling the case where they aren't given access to a permission though, so that makes them potentially more prone to crashing.

My idea is that if they try to access your contacts, instead of receiving a potentially unhandled "access denied" exception, they should just receive an empty contact list. Et cetera.

I don't even understand why Android would even let then happen. I can't even think of desktop apps that try to gain access to your history or bookmarks let alone a mobile app.

One time bookmark import is a thing I suppose, but that's different than gaining permanent access once granted.

Desktop apps usually have access to everything on your drive or running under the same user.

Yes, obviously it's possible for them to gain access, I'm saying I don't know of any desktop apps that need access to any of that other than one time bookmark importing.

For example, you may wish to use an editor or viewer on any file on your machine.

Relevant username? :P

Your name? How?

History sync, search personalization.

It is not possible for an app to get browsing history on iOS right ? ( i have never seen any app ask for that permission personally)

You are correct. This seems like a very dangerous permission to grant to apps.

I hate that AI support-replies are a thing. He sent a serious mail, and got a bogus reply back. I've had the same issues myself with other vendors, for instance Steam.

Presumably they want to see if you are running Lyft.

And it wouldn't do anything for if you had two phones, right? This is pretty annoying as someone who still wants to use Uber. Enough that I would consider a competitor.

In what scenario would a person be using one phone for Lyft and one for Uber?

I use two phones, but I have both apps on both.


Drivers have a different app, this is the consumer app.

They may well share code and or library dependencies which could be where the 'need' for the permissions comes from.

Most people don't have 2 phones, and put lyft/uber on different ones. I'm presuming they're doing it so they can target lyft users with more promotions.

Ah yes the multitude of people who have lyft on one phone, and uber on another.

And then of course they have their twitter phone, and their facebook phone and...

Props to whoever's responsible for itemized permissions requests on install/update--stories like these probably wouldn't exist without it.

Does this recovery attempt of a bad feature deserve praise? It wouldn't be an issue if permissions were properly implemented from the go - i.e. user had the control over what permissions the app gets.

There's an Android mod which deals with apps like that. They can try to read all the user's info, but what they get is all phony.

that should be the default... but of course Google is complicit...

Given enough incentive, Google might even be willing to issue a patch to allow permissions to apps that were not possible otherwise.

So this is information about Uber app that I found in some blog:


Android Uber app code has many suspicious places. For example, it contains a namespace "com.baidu.frontia" and classes there include such code as:

    localObject = ((TelephonyManager)localObject).getSubscriberId(); // gets IMSI 
    ((TelephonyManager)localObject2).getDeviceId(); // gets IMEI
    localObject1 = ((WifiInfo)localObject1).getMacAddress();
    public static void makeCall(String paramString)
    public static void sendSMS
Also there is the code that collects information about cell towers, mcc and mnc codes, scans wifi networks.

I looked quickly through the code and it seems that those methods are never called. They are probably just a part of a library not used in this app. Uber mostly uses baidu maps, authorization and payment API.

That code is from the Baidu SDK which Uber integrates into its app for Chinese users.

Right, Uber works in China as well...same app, completely different infrastructure. If you come to China with your uber app, it will still work (provided you have wifi or data).

Uber also does UnionPay as a payment option...again, same app.

Still suspicious nontheless

I think you're on to something, for example the Uber app probably also uses the `true` constant in places, which could be used by `if` comparisons, and Uber could actually be using `if` comparisons all over the place. Who knows what sort of suspicious `if` comparisons Uber's app might be making? We don't know, and until we do we should probably not use this app.

Not sure if this is sarcasm or just strange.

Not sure why your post is being downvoted, when the laborious Reddit-level sarcasm in the post you replied to is the kind of useless, non-constructive crap I thought was frowned upon here.

Parent is Clearly an Uber employee

How about make apps show us the data they collect and if they dont they dont get access to the store. Google has an pretty awesome page that lists all that crap they collect on you and you can delete it from there.

On the google store site.. when browsing apps, there should be a tab on every app page, where i can see a sample of what it collects and a declaration of what it does with that data.

after installing the app, in the app manager, i should get a tab where i can see what its grabbing from me.

right now we got strangers going into our bedrooms borrowing something they wont tell us what it is.

and really permissions dont help a lot when it comes to this. Yeah my bookmark dup cleaner has to access my bookmarks to clean.. so i give it the permission, but does it keep them? does it sell them? i dont know permissions arent that detailed. if there was a privacy tab that i could check...then i would know.

People hide nanny cams to watch the nanny. Its because they gave her permission to have access to the house and kid and such.. the cam is like my privacy tab. it makes sure she doesnt abuse the permissions. We KNOW she needs access to the house and kid to do her job.. we just dont want the kid molested. well I dont want my data molested.. So google please give me an app nanny cam.

I believe the browser history lookup doesn't work anymore (I tried recently on 5.0 I believe). Also, many of the Android permissions are unecessarily broad, I think that really would be a good thing to fix. Oftentimes you only need some specific function, but have to request a much broader range.

Examples? (Especially any for browsing history, bookmarks, or running apps.)

Getting a list of accounts (needed if you want to integrate with Google login), asks the user if the app can read their contacts: https://code.google.com/p/android/issues/detail?id=189766#c8.

Another example is phone state https://arnowelzel.de/wp/en/android-and-read_phone_state (games use this to adjust volume to not drown out calls). There is a replacement, but it's not well known.

I'm really starting to worry about this as an Android user.

If I want to keep control of my privacy there are so many apps that I can't trust to install. Even little dinky games are asking for access to contacts and messages and all sorts of other things.

An application on a desktop computer that steals data from your email application and sends it back to base is called "Malware". On Android, this is called "business as usual" from what I can tell. I don't know the app developers' reputation, I don't know anything... Except that someone in some other country has unbridled access to my phone.

As a result there are many applications I want to use and I just don't install.

It's not very cool.

Not sure why you are getting downvoted for voicing a valid concern.

Probably due to the lack of scientific rigor that I failed to produce in all of 3 seconds, or, just general BS of an online community. Or shills, who knows! Nobody said this was a community of rational beings.

Anyone who knows android dev knows this is a non issue. The permission they request doesn't even do anything in lollipop and later. Sounds more like a bad dev than anything malicious.

What's the saying? Never attribute to malice with what can be explained by stupidity?

I think that proverb is not for accuracy, but rather for gentle social relations. Otherwise, a more balanced approach would sound like, attribute a set of factors X to a phenomena Y in whatever way you think is most fit or empirically economical, or better sounding would be, "choose the middle way".

That way, you are neither under-trusting nor over-trusting.

If the prompt is there it surely must do something. Otherwise google would remove it because the fewer prompts the better.

>Never attribute to malice with what can be explained by stupidity

Hanlon's razor

With the modern anti-corollary: neoliberalism.

Is a logical fallacy that is overused and hardly ever true, and should be relegated to the dustbin of intellectual discourse where it belongs.

It's not a logical argument. It's more of a heuristic of human behavior, which tends to be right. Only rarely is there someone sitting behind a large desk making tent hands while laughing maniacally.

EDIT: On second thought, if it is a logical argument, it's a specific case of Occam's Razor. Which is more likely? Someone made a mistake, or there is a grand conspiracy?

Here's another fallacy: the fallacy of the excluded middle or the false dichotomy. There are many alternatives on the spectrum between "mistake" and "grand conspiracy".

Exactly. These include such situations as:

- a mistake where misaligned incentives are against fixing it

- a questionable decision exacerbated by a mistake

- malice on the part of an external actor plus internal incompetence (essentially all data breaches)

Crazy town app permissions are what keep me from using Android. I really wouldn't be able to install half the apps out there that ask for all sorts of permissions that are frankly obnoxious.

Uber could provide much more than a point to point ride service in its current traditional sense if users are willing to give up more data. For example, it could provide user a tour/travel experience to match with the proper driver if it knows you are traveling. Or send you off to a nice dining experience if it knows you are a foody, etc.

Just switch to the mobile web. Same capability, same interface, no intrusive permissions requirements.

Add it to your homescreen and you even get the glorious U logo back!


Sadly, 98% of folks will blindly accept this.

I'd venture to guess the number is likely closer to 99.9999%

Right. I remember hearing from somebody about Google Now recently. The guy was happy that it reminds him of bills etc., added that it even gets the amount and due date from the "emails" and "reminds".

Frankly, a vast majority (99.99%+) don't care.

By "don't care," you mean, "are extremely delighted when Google reminds them to pay a bill on time and avoid a late fee."

I have often wondered why Android don't categorise or have some mechanism to allow users revoke permission later. I have been a long time Android user but recently started using iPhone. I don't like iPhone for many reasons but then the control you have on turning on and turning off location, data connectivity, access to photos etc from one screen is really something you should have on all device. I felt the need of this, when Facebook asked for permission to read my messages.

This feature has been available on Android M for a while now. Sadly, the fragmentation of versions running on the Android platform is the biggest threat to its security.

Didn't Uber just admit to giving Feds their data on all their users?

What's the thought on Uber having access to such data as browsing and passing that along to the feds too?

No they didn't.

Yes they did. Don't tell me know until you can learn how to Google.

Don't tell you what?

I have observed on my device when i use Transit Stop to check for bus schedule, Uber app pops up.

This has little to do with Uber and is all to do with Android.

Care about privacy. Use Google products. Pick one.

Interesting that the headline leaves out the fact that this only applies to poor, security-less Android. Less sensational that way, I guess. (And less accurate.)

keep the big picture in mind here. If Ü can't tell what it looks like you're trying to do, they can't perfect clippy.

If you are running the app on Marshmallow, with iOS-style permission requests, in what contexts does the app ask you for these?

When you update (and the permissions have changed)

i'm on marshmallow, updated the app. it popped the contacts (http://i.imgur.com/wNzktdO.png) one when i tried to create a family profile (so i could add people to my family account).

other than that, i could not make these new permissions to trigger.

With Marshmallow, you can just turn off or deny certain permissions. So for most people who really want to run the Uber app, the question is really whether it runs OK without all these permissions.

Uber did this knowing very well that most people don't have Marshmallow on their smartphone.

Most people don't read the needed permission, even fewer knows about those settings.

How many end-users understand permissions and are able to manage them?

+1 Uninstalled

Are they doing it at the behest of NSA?

There is definitely an Uber presence on HN doing damage control.

We detached this subthread from https://news.ycombinator.com/item?id=11512701 and marked it off-topic.

Or some people on HN work for Uber, a near certainty given the company's size.

In that case, the established, respected and ethical way is to state that affiliation in the comment.

I don't get why people working there would defend their company's shady tactics. But then again, I never understand why people blindly defend their countries, sport teams, etc.

If the tactics are not shady, come out and plainly state it. No such statement has been made that I can see.

Uber are mold-breakers who are well known for 'disrupting' "the established, respected and ethical way" of doing X.

They are simply revolutionizing the old-fashioned and corrupt HN commenting industry.

Or, alternatively, people (like me) who don't like a witch hunt. I have no affiliation with Uber, no affiliation with ride-sharing or taxis, have never used them, but I think the entire situation is being blown way out of proportion. Uber certainly doesn't need me jumping to their defense, but it annoys me when people read malicious intentions into something that has a perfectly reasonable non-malicious explanation.

Sure, malice does sometimes exist on these things, but most instances of this stuff in major apps turn out to be entirely benign. Ill-planned perhaps, but not malicious.

People sure love to throw out the shill card without providing any proof.

The fact is there are shills everywhere. It's hard to prove them in all cases. But it is a "big" and important industry for companies to anonymously and without accountability do damage control. There have been articles and AMA's etc. from people who had worked for these firms and it's really disgusting.

So it's not people with tin foil hats speculating that shills might exist - we know shills exist and are pervasive. Given that, we should have a certain non zero belief that any given poster is a shill. Not sure what is the best way to proceed when you know for sure that there are spies around you all the time. That's a bigger discussion. But jumping on people as if we should have to prove beyond a reasonable doubt that there's a shill is really counter productive and helping "them" win.

The existence of past conspiracies does not offer proof of new ones. Likewise, the fact that shills have existed in the past does not mean they exist here and now. The burden of proof is still on the one making the claim.

It's not only irresponsible but dangerous to take a guilty until proven innocent approach. You should expect somebody to prove it if they're making a claim. That's not letting anyone "win".

Look at profiles. Look for unusual voting patterns. Is it more likely that Uber is secretly watching and manipulating a forum for hackers, or could it be that a lot of people here actually quite like Uber as a company? Occam's razor suggests the latter.

Or maybe - like me - this story just seems shaky as hell with people not understanding that Android permissions (like license agreements) often over-extend themselves. That a permission requiring X doesn't mean X is being used. All the time we see things like "App requires contacts list" where it's only grabbing the owner's info.

Honestly, playing the shill card is lazy and irrelevant. If you have proof, show it -- otherwise you're just spreading FUD.

Perhaps, but the comments are a bit silly given what the parent poster says: 60% of Android users are affected by this.

Why do Uber need that permission in the first place? What exactly are they doing with the permissions that are granted?

They want to black-box your mind, of course ;)

It would make a pretty poor shill if it were easy to prove it.

On HN, who is able to delete comments?

Hmmm. Nobody talking about other apps that do this? Talking about Tinder[1] for example. They require "Device ID and cell information" too.

[1]: https://twitter.com/manu29d/status/710883865955422208

"Et tu" comments without even bothering to search for earlier submissions aren't particularly enlightening.


From myself in the past week. I've lobbied several app devs to remove/reduce permissions. I've uninstalled others.

Android's privacy model sucks. It needs retroactive fixes. Highlighting the problems is how that gets fixed.

Edit: interestingly, this comment had five points before the uber fans modded away. Easier to click down then explain rogue apps I suppose...

They were lucky they didn't try the beta version of the new forthcoming uber app - that version wants access to the phones of all your friends, family, neighbours, your postman, the sister of the locksmith that helped you get the spare key last year, and the chap you met on the train to work last week called Brian. Still, go uber!

Your comment was downvoted because it doesn't add to the conversation and is mostly nonsense ("sister of the locksmith?").

Come on guys, where are the academics? Instead of overreacting please just reverse engineer, get the facts and check WHY the Uber app actually requests these permissions. I mean, it's still Java, so you got the source. I don't think they're using native code or do more obfuscation than the average app (disclaimer, haven't checked (yet)). Who's first?

The burden of proof on the necessity of those permissions lies in the creators, not the consumers.

I agree. Yet this is Hackernews, and if the creators don't do it we can.

if all they do is send the data home, you won't know what they use it for。。

If you'd find out the Uber app is sending home your browser history, this is big news already! I'm in CEST, if I wouldn't be sleeping right now I'd start up Burp, Charles or Fiddler to check.

everyone should run burp on their phone at least once! its a kinda terrifying experience seeing how much data everyone collects on you...

Im a journalism student and would like to investigate this issue. Can you keep me up to date if you find out anything?

If you have any questions, you can write Uber at privacy@uber.com.

-iOS App Permissions https://www.uber.com/legal/other/ios-permissions/

-Android App Permissions https://www.uber.com/legal/other/android-permissions/

Did you read the post? He contacted privacy@uber.com.

Question: http://i.imgur.com/K1mAtiH.png

Scripted reply that didn't answer question: http://i.imgur.com/m9sWJZR.png

Also, as mentioned in the post, https://www.uber.com/legal/other/android-permissions/ doesn't mention the new permissions.

If I made that clear, it would be less likely others would contact Uber; appears that I should have just let it be.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact