Hacker News new | past | comments | ask | show | jobs | submit login
Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen (gizmodo.com)
163 points by thisjustinm on Oct 5, 2017 | hide | past | favorite | 21 comments

While it's easy to point the finger at Uber given its history, we also need to be asking Apple why this isn't something that's apparent to the user.

How is this not a more popular story on HN? This seems like huge news to me.

You may have just discovered how prolific Apple fanboyism is on HN. If Google did this it'd be a much bigger deal on HN and people would be pointing out how this is why they use Apple products.

All smartphones are a privacy/security shit show, Apple is no exception.

Eh, compared to the “shit show” I just witnessed in the supposed “dark UI” around the new control center toggles, I’m inclined to believe that both sides get their side of crap.

Conversely Hackernews, like many tech sites, also has a million people who have to whine their exaggerated complaints on every Apple article, like how every software suddenly ‘slurps’ their battery, how nothing is ‘snappy’ anymore and how Jobs is spinning in his grave about the latest UI ‘disaster’ and problem’gate’.

Today the walls in the hated ‘walled garden’ are not high enough.

The reality: these exceptions are made in a way that is exposed to external users which is much more transparent than most companies would be. It is stupid that Uber still has access if they don’t need it anymore. If you have to do a demo and it has to work before it is ready you have to make tough decisions.

If FB did this, people would be asking for Zuck's head on the chopping block.

Well, if you take Uber at its word (which I know is difficult) that it was only being used to render maps on the Watch, it doesn't seem like that big a deal to me.

If it's such a non-issue, just ask for the permission! That's what these granular permissions are for. To allow the OS to lock down features to stop naughty apps being naughty but still allow apps we want to have them to do their business.

Sneaking around like this only begs the question: what else aren't they telling you?

Uber has add shown itself to be a very trust worthy company. And respectful of users privacy in the past. /s

Wondering what the legitimate use for this was?

From the article: “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering. It’s not connected to anything in our current codebase,” Uber’s spokesperson explained.

The article states they were rendering maps screens on the phone and shipping the screenshot to the watch to handle performance issues with the watch.

I don't buy this explanation. You need to full control over the screen's framebuffer to render an image?

Even if your architecture is so hosed that you are screencap'ing the actual screen to get an image to ship over a network connection … multiple people thought that tradeoff with security was worth it?

> You need to full control over the screen's framebuffer to render an image?

No, but you do need the ability to render in the background, and apps aren't allowed to do any GPU-based rendering in the background (you can't touch an OpenGL context, and while I haven't actually confirmed this I assume you can't touch a Metal one either). This entitlement probably let them skip that restriction to do fast rendering in the background.

I do wonder why they execlusively got it, and others (who must have had similar rendering issues) did not.

Presumably because they were a headlining launch app for the Apple Watch and were in the keynote.

Wasn’t Lyft also showcased at that event?

Also, how do they still have it if it’s not needed? First cardinal rule of elevated privileges is to immediately give them up when no longer used.

Apple Watch Series 0 is possibly still not capable of rendering maps quickly and has to rely on a companion device. I guess Apple would have to leave this entitlement for Uber until the Watch Series 0 reached end of life five years after last selling them. Which would be quite the security risk.

You sure? I think that was fixed with a WatchOS update (probably 2, but certainly by 3).

Curious, how much access like this could cost. Still, FaceID is safe by design.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact