Uber’s head of security communications has today announced that the company is removing access from its iOS app that may have allowed the company to record a user’s display unknowingly. Security researchers had noticed that Uber was given access to these private APIs by Apple, an unprecedented move from the security focused company.
Within iOS, application developers use entitlements to gain access to different APIs. For example, usage of iCloud and Apple Pay APIs require specific entitlements within an application.
The idea behind using entitlements is that iOS applications only have access to what they absolutely need. As Apple puts it, “By carefully enabling only the resource access that you need, you minimize the potential for damage if malicious code successfully exploits your app.”
This is where Uber’s iOS app raised a few eyebrows. APIs, and as a result entitlements, are separated into public and private usage. Private APIs may not be used in apps that are submitted to the App Store. Uber’s API that could technically allow them to record a device’s display was locked away behind a private entitlement.
Melanie Ensign, Security and Privacy communications at Uber, told Will Strafach on Twitter that the entitlement would be removed. According to Ensign, the API was used back when watchOS apps couldn’t handle map rendering. From a technical perspective, the APIs may have allowed Uber to capture what was seen on the iOS app’s display and then push it to the watchOS app.
Strafach asked Ensign how Uber was granted access to this entitlement in the first place. Being a private entitlement, no applications should have this access. In his own researched dataset, he discovered only Uber and Apple’s own apps had this private access. Strafach mentioned that Apple had to have granted this entitlement to Uber.
Being granted this level of access is especially interesting in light of Apple and Uber’s history. Earlier this year, it was reported that Tim Cook had threatened to pull Uber from the App Store over allegations of tracking users.