Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Uber app can secretly record your iPhone screen thanks to special ‘entitlement’ (thenextweb.com)
87 points by chmars on Oct 6, 2017 | hide | past | favorite | 39 comments

Interesting that this is being framed as an Uber transgression when Apple should take the rap for even creating this permission in the first place.

Sounds like apple created it as a hack and granted the permission to Uber as a workaround to get Uber's watch app out of the door. Chances are they granted it to other apps to.

Then apple forgot to remove the premission after it was obsolete. (Either apple created an alternative method that had no security issues, or Uber had more time to create a implementation that rendered the map on the watch.)

> Chances are they granted it to other apps

Other apps were not given access.

If the entitlements system wasn't there, anyone could access "dangerous" private APIs by just using the objC runtime.

This way, only apps signed with the appropriate entitlements (usually system apps) can run those calls...

I'd say the permission is valid (seems to be direct fb access or something similar), but should be allowed only in very specific cases

>I'd say the permission is valid (seems to be direct fb access or something similar), but should be allowed only in very specific cases

Maybe, but then the user should explictly authorize it AND it should be optional, if this is not the case, then it should not exist.

In any case, it does sound a bit shady that such permission exists at all and - according to the article - Apple "can decide" who can use it.

It seems like there are "class A" and "class B" developers rated by Apple and given (or denied) this "permission".

And only if a blue/red status bar is shown while this API is in use, and e.g. 5 seconds afterwards.

Still, Uber could detect when your phone is on the table and quickly take screenshots. This is very prone to abuse, some log should be available for auditing.

It's trendy to bash Uber.

According to the update at the end of the article, Uber says they only used this API to render maps in an early version of their Apple watch app and they haven't been using it at all for some time. They claim they are working with Apple to get this entitlement removed.

1. Yes and I believe them (not). They will. Now. That they got busted. Red handed. Again.

2. They can't catch a break!! (but they try really hard to be on the news with news of sexual harassment, actively identifying and avoiding authorities, trying to cover up rapes, spying on drivers and clients)(that's a good rap sheet)

I believe them. Uber may be a shitty company but that seems like a very likely reason.

It seems legitimate.

You also seem to irattionally hate Uber.

It does seem legitimate, but I'm not sure the hatred of Uber is really irrational - they've got a terrible record for shady behaviour, which is going to influence people's opinion of them when something like this comes up.

His hate isn't necessarily irrational.

Uber promises you that they're being real nice. That is really comforting to know that they are claiming to be acting morally here...

Uber also say they protect your privacy, even when they violate it instead.

I kind of want to know why Apple granted them permission to do this. It seems like a horrible idea, regardless of the app vendor. What the hell were they thinking?

They needed to boost the Apple Watch adoption when it was released. To do that, they wanted many apps on there, including popular ones like Uber (and Uber is actually a good use case). Unfortunately, WatchOS couldn’t render maps back then. The marketing department was probably at their ass to get it working, so the engineering team had to come up with something so Uber would be on the Apple Watch: they allowed them to use private APIs.

A very bad move but I can understand the motive

Hmm... I suppose that does explain the motive, though I'm not sure about the logic.

On the other hand, I have the luxury of Monday quarterbacking and the knowledge of what has gone on between now and then.

I am curious as to who else might have gotten that entitlement and we just don't know it yet. Apple, being more privacy aware (or at least PR aware), probably has not handed it out to bunches of people and governments. Probably...

Only Uber got it.

Are you certain of this? If so, how?

I investigated the situation and checked to ensure there were not other apps using this (As to not unfairly single Uber out).

I think this is how the Find My Friends app on the phone draws its map to this day.


Apple letting a (morally corrupt) third party violate your privacy.

And some people still think the government/NSA does somehow not have complete access to your data?

Stuff like that is a bit at odds with the pro-privacy marketing that Apple has been pushing recently. Guess it shows how important certain high-profile apps are for smartphone ecosystems when Uber even got Apple to give them access to features like that.

I just uninstalled it. I do too many confidential things on my phone to even let this be a possibility. That's too bad because I was an avid Uber user. I hope they can shed some light on this and say it's fixed (and verified).

I guess you can still use m.uber.com

Thanks for sharing that. I wasn’t aware

On a similar topic, how does the facebook app on android suggest me pictures taken with the camera on the phone, when neither it nor any of the facebook infrastructure apps have any permissions on accessing local media?

What version of the app and Android are you running? I'm on Android 8.0 and just double checked, the second I turn off the storage permission, Facebook can no longer suggest or access any images on my device.

Oops I'm a dumbass scaremongerer it seems - indeed I did have 'storage' still checked despite thinking I had everything disabled! Sorry!

If you've ever shared a photo via Facebook, the app has that permission, I'm sure. Recheck your permissions settings.

On top of that the installed Facebook app spies on your usage of other apps. They bought On­avo for that specific function.

If you're talking about the VPN, you have to explicitly turn it on, and the first time you do so Android asks you for permission to let it "monitor network traffic" (actual quote from the dialog).

For the first time I tried to install the Uber app last weekend when I needed a taxi in a country where Uber is present.

I then found out that the Uber iOS app is larger than 150MB (!).

I couldn't come up with a reason why the App would need to be that ridiculously huge except for spying frameworks so I did not download it. There were taxis waiting less than 30m away anyway.

I'm glad I have not sold my soul to Uber ;-)

Spying frameworks wouldn't be responsible for taking so much space, usually the largest files in mobile apps are the assets (sounds, videos, images, etc.) and not code, code is actually quite minimal.

So yup, your assumption is probably very wrong. And I'm not an Uber user (exactly for privacy and ethical reasons).

Don't iOS apps also have all resources embedded regardless of the device? Like high res retina icons are in the app even though you are using an iPhone 4 or whatever. That would also explain the larger app size.

Not since iOS9...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact