Uber Says It’s Removing Secret Screen-Viewing Access To iOS Devices
ANALYSIS: Undisclosed entitlement allowed Uber to access to an iOS device’s frame buffer, which in turn could let the company see your screen
The reason the entitlement was allowed in this case is because Apple wanted to use the Uber app in its demonstration of the first Apple Watch in an on-stage presentation, and the only way to make it all work was to allow the entitlement.
According to reported statements from Uber, the use of the entitlement became unnecessary with subsequent updates to WatchOS and with new versions of the Apple Watch. However, the entitlement remained. Now, Uber says it has removed the capability from its app.
“This API has already been removed with an update now available in the App Store,” said Uber spokesperson Melanie Ensign in an email to eWEEK. “It was only used for short period of time with the 8.2 version of our Apple Watch app. It enabled the app to run memory-intensive renderings of Uber maps on the iPhone and then send the image to the Watch app. It was never used for any other purpose and has been nonfunctional for quite some time.”
Uber response
At this point, there’s no indication that Uber used the entitlement for anything other than rendering maps on the original WatchOS version. However the fact that the capability was there, and continued to be available even with the latest versions of iOS, means that anyone with access to Uber’s network could have used the ability to see any screen where the Uber app was installed.
More disturbingly, the ability to see and record the frame buffer gives an attacker an effective keylogger since the frame buffer has access to login credentials. It’s not clear if such a capability might have been available to well-written software, but if it had been, then you had the beginning of a Trojan for iOS—something Apple has repeatedly said is not possible.
At this point, it’s not clear that there’s much you can do other than remove the Uber app from your iOS devices and even then it may not do much good. Uber has been accused in the past of finding ways to track devices even after the app is gone and even tracking devices even after the device was wiped clean and restarted as a new device.
In one case, Apple CEO Tim Cook reportedly summoned former Uber CEO Travis Kalanick to Apple HQ, where he was told that Uber would be banned from the App Store if he kept retained the ability to track iPhones even after they had been wiped.
The problem now is that Uber has created a huge security hole in iOS devices with Apple’s assistance. So the next question has to be, will Apple do anything to prevent Uber from using it? It would be interesting to hear about that, but so far Apple hasn’t responded to Apple’s request for comment on the state of Uber’s access to iOS devices.
Originally published on eWeek