Since the website is currently down, this person reverse-engineered Uber's Android app and discovered it has code that will "call home" aka send data back to Uber with your:
- SMS list [edit: see other comments re SMSLog, SMS permission is not currently requested]
- call history
- wifi connections
- GPS location
- every type of device fingerprint possible (device IDs)
It also checks if you're phone is rooted/jailbroken and if it's vulnerable to Heartbleed... which it also calls home.
From my understanding, which the author somehow missed, is that it is using http://www.inauth.com SDK which provides 'malware detection'. This SDK is popular in the 'mobile finance industry' and the banking sector. Also notably one of the founders is former DHS/FBI.
Two possible theories: it is being used for fraud detection and/or an intelligence gathering tool.
Edit: here is a copy of the decompiled source code http://www.gironsec.com/blog/wp-content/uploads/2014/11/InAu... note the name "package com.inauth.mme"
Edit #2: here is a screenshot of Uber's permission request https://i.imgur.com/4MmYrJH.png no SMS on the list
- Accounts log (Email)
- App Activity (Name, PackageName, Process Number of activity, Processed id)
- App Data Usage (Cache size, code size, data size, name, package name)
- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
- GPS (accuracy, altitude, latitude, longitude, provider, speed)
- MMS (from number, mms at, mmss type, service number, to number)
- NetData (bytes received, bytes sent, connection type, interface type)
- PhoneCall (call duration, called at, from number, phone call type, to number)
- SMS (from number, service number, sms at, sms type, to number)
- TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
- WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
- WifiNeighbors (bssid, capabilities, frequency, level, ssid)
- Root Check (root staus code, root status reason code, root version, sig file version)
- Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)
Or, put differently, I really don't see any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action.
Edit: I've augmented the various types of data retrieved (ie: there is capability in the source to read, save and transmit this data) from the inauth framework sources.
Apart from Google being an investor in Uber?
Uber has what's pretty close to a monopoly in what it offers, apart from a few cities in the US where Lyft also operates. I would say most people that user Uber are not interested in using the regular local taxi service.
This reputation is definitely damaging, and it's common knowledge here. Drivers bitch about it. They recommend Lyft.
But like, Uber is in 230 cities around the world. Here in Australia I believe they added over 1000 new drivers over the past month. Here, Uber is the alternative. There is no Lyft or Sidecar - mainly because alternatives are too scared of legal action from government - ridesharing is essentially illegal here, but Uber plays the we're-waiting-for-the-law-to-catch-up card regardless.
If the analysis holds up, it would be very bad publicity to appear complicit.
The original article is down, but do they somehow bypass the Android permission authorization process? Or the user still has to authorize the app to access all the resources?
The issue is that they're phoning all this information home, when the user might only be expecting it to be retrieved while the app is in use and only as needed.
You're deluded. If you don't like this, stop using Android. I did.
That does not make it ok.
So...I'd love to know...are they really doing this?
If they're actually sending all this stuff, I'm also telling everyone I know about it. But only if they actually are.
I wiped an old Android phone, configured it with a dummy Gmail account, and then installed the Uber app there.
So it's a dedicated Uber-only phone with no contacts, no personal data, powered off until I need a ride. It's a giant pain in the ass.
Kinda happy to see this article, it validates my paranoia in some small way.
Now the real question is, why use Uber at all if they're this cavalier with my personal information? Good question, I may not need to power-on my Uber-only phone any more.
Android isn't perfect (case in point: it should support saying "yes I want to install the app, no it can't have the permissions it asked for"), but at least it isn't iOS; I'm not going to stick with a feature phone until someone comes up with the perfect smartphone OS. If someone comes up with a service better than Uber, I'll switch. (For instance, I do plan to try Lyft next time I'm in a city it supports, to see if the experience is better.)
That seems like a massively inconvenient workaround to use a service which really only offers a mild convenience (over, say, a regular taxi).
There are areas where taxi service is so spotty as to be scary, were simply getting a cab is a huge pain (IE: called and ordered) and flagging one down is a non-starter. Even after calling in a cab, they often end up being no-shows (get a better fare en-route, etc)... it is scary when you can't get dependable public transit home from a location (stuck alone, outside, waiting for sometimes hours).
Uber started and initially flourished in areas were taxi service was insanely poor due to bad regulation and/or corruption. Uber was basically a response to the godawful taxi situation in SF.
I know I feel far more comfortable when the people I care about are able to get an Uber/Lyft/(similar) service.
Nothing provided by the OP shows what is actually being sent. The linked text document of the code only shows the creation of an instance of the SMSLog class, which itself is defined in another class (not provided or discussed by OP). This is the same for most of the scary bits, which is unfortunate as seeing the code itself (or the MITM'ing the app and seeing the data) would be very interesting.
- checked at (timestamp when read?), to number, service number, sms at (timestamp received?), sms type
Now I can't tell you if it does actually transmit that data, but the remainder of the code looks for the world like it. In the end, of course, it doesn't actually matter. That's like arguing if malware that lies dormant actually exists.
It doesn't ask for permissions to access anything SMS related, or call history related.
I'm assuming they've included the entire InAuth SDK, but not used most of the functionality.
I use disposable emails for every site (www.spamgourmet.com). After installing LinkedIn and Facebook Android apps they started recommending adding old coworkers that I have 0 mutual friends / connections with.
ACCESS_COARSE_LOCATION & ACCESS_FINE_LOCATION: Fairly obvious, they need to figure out where to pick you up
ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE , INTERNET: They need to figure out if you have internet and use it
WAKE_LOCK: Keep the network running so you can get real-time updates about your driver
GET_ACCOUNTS, USE_CREDENTIALS, MANAGE_ACCOUNTS: For logging in with Google
CAMERA: You can take a picture of your credit card for easier entry
CALL_PHONE: So you can call your driver
MANAGE_ACCOUNTS: So they can add your uber account to your phone
READ_CONTACTS: Probably for inviting friends or splitting ride costs
READ_PHONE_STATE: Legacy analytics reasons
WRITE_EXTERNAL_STORAGE: Probably unnecessary, but they are probably just storing data
VIBRATE: For notifications
The rest are for push notifications
As far as the roottools, I know Crashlytics checks for root so they can provide that data in their console for crashes. It's a pretty useful thing to be able to weed crashes from rooted devices out. They usually make very little sense and violate the advertised behavior of the SDK.
- CAMERA: there's an intent for that, you don't need the permission, although it will require tapping the "take a photo" and "ok" buttons
- CALL_PHONE: ditto, although it will require tapping the dial button.
- READ_CONTACTS: again, there's an intent for that, allowing you to select only the contacts you want to share with the app.
- READ_PHONE_STATE: either they want to be compatible with a very old version of Android, or they want to uniquely identify your phone, permanently. They might also want to know who you're calling or who's calling you in real time
Regarding MANAGE_ACCOUNTS, etc: some apps do that, and it seems to be all the rage. Unless you have multiple apps sharing a common account, I don't see the point. It's just leaks all your configured accounts on the device.
Similar issues abound with the myriad of camera applications.
It would have been good if there was a way to lie to the app. For example if it wants access to your contacts, it could get a blank list.
Of course, it is much easier to not use such apps in the first place. Uber is not alone in doing this and personally I take it as a signal of how I'll be treated as a customer.
For the most sensitive things like location, contacts and photos, it prompts for user permission.
There's a lower category for things like background processing, you declare to Apple that you want to use them, and they are enabled by default. Some of them can be disabled by the user after the fact.
Then, there's things like internet usage which there is no permission system for.
Unless you have a limited cellular data allowance, or pay for data by actual usage. iOS allows you to disable cellular data for certain apps. It would be great if it could somehow figure out when I'm using a mi-fi when abroad, and treat that wifi access point as 'cellular'.
The article included a decompiled code snippet showing it running methods like "sendMMSLog" and "sendPhoneCallLog", apparently logging a bunch of private data and sending it back to Uber.
I mean, I might trust my neighbor with the key to my apartment, but I'll still call the cops when he comes in and trashes the place.
Similarly, maybe there are valid reasons for Uber to have these permissions. That doesn't mean they can upload a dump of whatever data they can find to their servers.
There's no proof in this article that they are uploading this data to their servers, just speculation. The snippet of some methods he showed doesn't even make sense, because they don't ask for permissions for your SMS, MMS or other permissions required for these things.
Also, you can initiate the dialer without the CALL_PHONE permission, the user just has to hit the dial button.
Apparently the author has not ever heard of REST. I'm a little shocked by that.
Just in case anyone was wondering here's the HTTP 1.1 rfc: https://www.ietf.org/rfc/rfc2616.txt A simple search will show that it does include PUT and DELETE.
What technical assertions? From what I can gather, he's just pointing out what he sees in the code and what he thinks it might be doing. None of that feels like technical assertions (apart from the statement about PUT and GET).
He also stated that WebDAV isn't a standard (ie RFC).
He also stated that you don't need PUT or DELETE because it can be done 'on the server'. (I'm not sure how you get your data to the server without HTTP verbs, but..)
With that said, his other work looks spot on; you don't always have to know how to architect a service in order to figure out what's broken with it. He's done a service to the community by taking this thing apart and seeing what makes it tick.
+ credit card check banner
+ stolen template notification?
Here's what Uber says about its Android permissions -- the page isn't that difficult to find:
Uber says the camera permission is required to take a snapshot of your credit card. The phone call permission is required to call your driver. The get accounts permission is required to enable single sign-in (Google Sign-In, Google Wallet).
The Uber app doesn't, according to the gironsec.com post, request Android's READ_SMS permission, so pointing to a "sendSMSLog" code excerpt by itself doesn't mean much. And so on.
As <andymcsherry> pointed out elsewhere in this thread, there's a "perfectly reasonable explanation for almost all of these permissions" except WRITE_SETTINGS. Uber says in its Android permissions post that: "We use this permission to save data and cache mapping vectors."
It seems as though it would have been useful for the author of the gironsec.com post to read what Uber has to say -- or, better yet, contact the company before posting a critique. If Uber PR can't cough up a good explanation, it makes the final critique more powerful.
I've posted here on HN criticizing Uber before (https://news.ycombinator.com/item?id=8383854), but before rushing to judgment here let's check our facts first.
There are a bunch of permissions required for basics like autocompleting the users email for login, or checking the network state so you can adjust the app behavior based on connectivity.
Not to mention the incentives are all wrong in the Play store. Changing permissions murders your update rate, so you want to do it as little as possible. So when you are forced to add a permission, you grab a bunch of extra ones you 'plan' to use later to avoid having to get over that hump again. It's really awful.
Camera doesn't seem terribly implausible. IT could be an incoming feature that allows you to take a photo of where you are so that your driver can find you more easily.
The WiFi stuff is probably related to location.
edit: as pointed out below, this is so that you can take a photo of your credit card so you don't have to type it in.
This seems like "hydrogen hydroxide KILLS" scare mongering.
BTW, this is all available in the app permissions: https://lh3.googleusercontent.com/-FVPu6x-F5SM/VHUZgU47m-I/A...
I don't see the big OMG SECRET MALWARE scariness.
This is the definition of malware:
n. Malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet.
I'm all for people taking responsibility for their privacy but this is basically what you are saying to people:
"Hey you accepted that list of permissions (or Terms of Service)! What? you didn't expect that your Taxi app is not going to retrieve and store your call logs and other personal information? How silly of you."
This rational among tech people is why there is zero privacy. The myth of consumer choice in the matter. The average person doesn't reasonably expect Uber to be mining this information about them. Merely assuming it is a function of the application.
We in technology know that they can but the average user? Who has responsibility here then? Noone? Uber has an ethical responsibility not to actually abuse this trust from their users IMO. Which is why the inclusion of this library deserves scrutiny.
> The average person doesn't reasonably expect Uber to be mining this information about them.
Then it sounds like you would predict that, if you showed this article to the average Uber user, they would be upset and would stop using the app. Would you predict that? I think that is extremely unlikely, and that the vast majority of people wouldn't be interested and couldn't care less.
This is only being turned into FUD because it is now cool to hate Uber and everything they do now Must Be Evil.
It's a matter of looking at everything Uber right now with wariness in the light of multiple, public comments that indicate a complete lack of respect for their customers, their privacy, 'oppo' journalists, and even their competitors.
This is not simply a matter of capitalism at its best, or competitive assertiveness. This backlash could be viewed as a market correction against a company that has actually gone out of its way to bully everyone around.
Can you imagine what will happen if Uber gets the monopoly it's after? The entrenched taxi companies will seem positively benign. Even Microsoft never did the things Uber is explicitly stating that it is doing or trying to do.
Thanks, I forgot about that since it's been so long.
In most cases I can think of no good reason for this except either a desire to surveil customers for indirect monetization, or participation in government or private surveillance grid efforts.
I've got Lyft on my Android phone, but not Uber. I look at its permissions and the only dubious looking one is "access to take photos / videos." Is this perhaps for signing up as a driver and photographing yourself and your car? I don't see anything else that doesn't make sense.
Notice: Apple only does this fairly granular security on iOS, and OSX is much more similar to how Windows it.
why mobile OS authors haven't learn anything from the web security model yet?
Which mobile OS authors? The behavior you described is default in iOS.
Better off using Tinfoil for Facebook (if Android)
Does such sandbox exists?
Further reading: http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s...
Outbound filtering can quickly highlight any app that tries to call home. Luckily, many apps continue working if you block those calls. YMMV.
The first thing I do after rooting is install a front- end to iptables and set it to whitelist mode. Any app that has a genuine need to access the internet can then be authorised; everything else is denied.
It frustrates me greatly that the ' common user' is denied this protection.
I do find it funny that despite all the other allegations, absolutely reprehensible business practices, and general malice they've put in the world that this is a surprise to anyone. I'm quite surprised that they still have so much business, but then again, morality isn't a one-size fits all sort of deal. What bothers me, may not bother other folks, or may seem as smart business tactics ( :sadface: ).
To me, it's just more icing on the cake.
I personally believe Uber app on android fits the definition of a malware.
The goal was to easily surface what permissions a given app requires, and what they mean.