We learned yesterday that Tim Cook almost pulled Uber from the App Store over the way it was tracking iPhones and tricking Apple engineers. Uber had seemingly found a way to ‘fingerprint’ individual iPhones even after the app was removed, and had taken steps to try to hide this behavior from Apple – one of many questionable business practices the ride hailing firm has made in recent years.
Mr. Kalanick told his engineers to “geofence” Apple’s headquarters in Cupertino, Calif., a way to digitally identify people reviewing Uber’s software in a specific location. Uber would then obfuscate its code from people within that geofenced area.
The original NYT piece suggested that Uber was somehow able to track iPhones even after they had been erased, but well-connected John Gruber has come up with what seems like a more probable description of what the company was and wasn’t doing …
Gruber noted that what the piece appeared to suggest – that Uber was able to track iPhones even after the app was removed and the phones wiped – should be technically impossible. What is far more likely, he suggests, is that Uber found a way to fingerprint devices in a persistent way, but had no ability to access that fingerprint until the app was reinstalled.
The Uber app is deleted from the device and/or device is wiped. At this point, Uber knows the fingerprint for the device, but can’t use it to track the device in any way, and they don’t care, because until someone reinstalls the Uber app on the phone it isn’t being used to book fraudulent rides.
The Uber app is reinstalled on the iPhone. When it launches, it does the fingerprint check and phones home again. Uber now knows this is the same iPhone they’ve seen before, because the fingerprint matches.
Doing this definitely breaches Apple’s privacy requirements for apps. An analysis by Will Strafach found that the app was using private APIs to use IOKit to pull the device numbers – which is another definite no-no. But it’s not the same as being able to track phones without the app being present.
As for why Uber was doing this, it appears it was an anti-fraud measure specifically geared to an issue the company had experienced in China and elsewhere.
At the time, Uber was dealing with widespread account fraud in places like China, where tricksters bought stolen iPhones that were erased of their memory and resold. Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way.
Photo: AP Photo/Eric Risberg