- Apple gave Uber access to undocumented entitlement, report says
- That entitlement could have allowed Uber to record a user’s screen
- Uber says it is working with Apple to remove the access
Apple provided Uber with code, called an “entitlement,” which could have allowed the ride-hailing company to record a user’s iPhone screen, a security researcher says.
Will Strafach, a security researcher, has reported that Apple gave Uber an undocumented private app permission allowing it access to the screen-recording feature. In his experience of combing through binaries of thousands of apps, Strafach said, he has not found any other third-party app with access to such entitlement.
Apple gave Uber access to the entitlement so that it could launch an app for the Apple Watch, the researcher said. A security expert told ZDNet that having access to the aforementioned entitlement is “the equivalent of giving keylogging ability to apps,” he said. Keyloggers are applications that can glean everything a user types on a machine, and everything that is displayed on the machine.
“Essentially it gives you full control over the framebuffer, which contains the colours of each pixel of your screen. So they can potentially draw or record the screen,” Luca Todesco, a researcher and iPhone jailbreaker, told news outlet Gizmodo. “It can potentially steal passwords etc.”
Uber told Gizmodo that it is working with Apple to completely remove the API, and that it was no longer in use. Apple didn’t comment. It wasn’t immediately clear how Apple missed to see the potential abuse of the API, and how often does the company treat certain third-party apps differently for its own advantage.
The revelation comes on the heels of a report in the New York Times which claimed that Apple chief executive officer Tim Cook told then Uber chief executive Travis Kalanick that Apple would kick Uber out of the Apple App Store if the ride-hailing company was caught violating any rules.