Apple likes to pride itself on being a privacy-focused company, but security researchers found it granted Uber what’s known as an “entitlement” that allowed the ride-hailing firm’s iOS app to record a user’s iPhone screen, even if it was only running in the background.
Apple had given Uber the code to help improve its app’s performance on the original Apple Watch. It helped “render Uber maps on iPhone and send to Apple Watch before Watch apps could handle it,” according to Uber.
The entitlement could have allowed Uber, or someone hacking the company’s network, to monitor an iPhone screen and steal personal information, potentially letting them harvest users’ passwords.
Security researcher Will Strafach said this is the only entitlement Apple has granted that can enable an app to record what’s happening on a display. “It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
Uber says updates to the Apple Watch and its app mean the entitlement is non-functional and there’s no existing feature still using it. The firm added that it is working with Apple to remove the API completely.
API was used to render Uber maps on iphone & send to Apple Watch before Watch apps could handle it. It's not in use & being removed. Thx!— Melanie Ensign (@iMeluny) October 5, 2017
As Strafach notes, Apple’s decision to grant Uber the entitlement is surprising, especially considering the controversies that have surrounded the company most of this year. The Hell software it developed to secretly track Lyft drivers, for example, brought a slew of criticism and even played a part in the company failing to have its license renewed in London.