A report claims that Uber’s iPhone app was capable of recording users screens, even when they weren’t using the app.
Gizmodo reports that the ride-sharing app Uber was capable of recording users’ iPhone screens even when the app wasn’t being used. The screen recording feature was enabled through a piece of code called an “entitlement,” which allows apps to interact with the iOS phone system, doing everything from sending notifications to allowing access to Apple systems like iCloud and Apple Pay. However, the entitlement that allowed the Uber app to record the iPhone screen was designed as a memory saving feature for the Apple Watch. This entitlement was only present in the 8.2 version of the Uber app.
The idea behind the entitlement was that the iPhone would record the phone’s screen and send the recorded data to the Apple Watch, letting the iPhone’s processor do all the heavy lifting, saving memory on the Apple Watch. According to security researchers, this is not a common entitlement and would have to be approved directly by Apple. Will Strafach, a security researcher and CEO of Sudo Security Group, searched the current Apple app store and was unable to find a single other app with a screen recording entitlement enabled.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
Although the entitlement is only designed to be used with the Apple Watch, there are obvious worries that if a hacker was to gain access to Uber’s system, they could potentially capture screenshots of thousands of users’ phones, harvesting passwords and other sensitive information.
Luca Todesco, an iPhone jailbreaker and researcher, explained some of the biggest issues with the entitlement: “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen. It can potentially steal passwords etc.” The feature could also be used to track the apps a user installs on their iPhone.
An Uber spokesperson told Gizmodo that first generation Apple Watches were unable to render detailed maps alone, and the screen recording tool was never used for anything other than rendering these maps. “It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app,” the spokesperson said. “This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase.”
This was partly due to the tight time frame that Apple gave companies to have their apps ready for the launch of the Apple Watch in 2015, this led to a special permission being given to Uber to use the screen recording entitlement. “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering. It’s not connected to anything in our current codebase,” Uber’s spokesperson stated.
Uber stated that the screen sharing entitlement is not present in the current version of their app.