Uber was reportedly granted permissions by Apple to allow its developers to improve its app's functionality for Apple Watch. However, the tool can be used to silently monitor iPhone users' activities and more, even when the app isn't being used. The capability is called an entitlement, which is essentially a piece of code that allows app developers to improve interactions with Apple systems such as iCloud or Apple.
However, the entitlement, uncovered by security researcher and CEO of Sudo Security Group Will Strafach, also allowed the Uber app to potentially secretly record iPhone screens, ZDNet reported. According to Strafach, Uber is the only third-party app to be provided the entitlement by Apple.
"It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said, Gizmodo reported. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
Concerns have been raised about the entitlement having been potentially used by Uber or hacker(s) that managed to compromise Uber's networks to monitor iPhone users' activities. The tool could also have been potentially used to harvest users' passwords and other private data.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," said security researcher Luca Todesco, who is also an Apple expert and a jailbreaker. "It can potentially steal passwords etc."
Other iOS app developers have also reportedly said that the move is unprecedented, ZDNet reported.
Uber has said that it will remove the code from its iPhone app. "It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production," an Uber spokesperson told ZDNet "This API would allow maps to render on your phone in the background and then be sent to your Apple Watch. Subsequent updates to Apple Watch and our app removed this dependency, so we're removing the API completely."
"This API was only used for a short period of time on an old version of our Apple Watch app. It enabled the app to run the memory-intensive rendering of maps on the iPhone & then send the image to the Watch app," an Uber spokesperson told IBTimes UK in an emailed statement. "It was never used for any other purpose and has been nonfunctional in our code for quite some time. The memory limitation of Apple Watch was fixed by subsequent updates in the OS and we've issued an update to our app to remove the API completely."
This article has been updated to include an updated statement from Uber.