Apple gave Uber access to a powerful tool that allows the ride-hailing giant to record everything on your iPhone's screen even if the Uber app is only running in the background, security researchers discovered.
It's one of many "entitlements" that allow developers to tap into features of an iPhone or iPad that are normally off limits to most app developers, unless they have been granted special permission by Apple.
According to Uber, it received permission from Apple to use the private entitlement.
While the code may have helped Uber push out an app to hail a vehicle from an Apple Watch, it also could have been used to steal people's passwords and other personal information.
What we do know, though, is that Uber prepared its Watch app within the four-month window and was featured prominently during Apple's March 2015 keynote about the Watch.
Referring to the piece of code, an Uber spokesperson told BuzzFeed that the company is "working with Apple to remove it completely ASAP".
Strafach told Gizmodo that although he looked for indications that the entitlement had been used for malicious purposes, he was unable to find any evidence of such activity.
The existence of Uber's access to special iPhone functions is not disclosed in any consumer-facing information included with Uber's app, despite giving the company direct access to features so powerful that Apple nearly always keeps them off limits to outside companies. "It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production", a spokesperson told ZDNet. According to security researchers, Uber's iOS application has the permission to record users' screens, and anything on it including passwords, messages or any other critical information.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen".
Apple expert and jailbreak author Luca Todesco told ZDNet that it was an "extremely risky use case". This may have lead to passwords and other sensitive information getting stolen by a hacker or the brand itself. Apple didn't comment. It wasn't immediately clear how Apple missed to see the potential abuse of the API, and how often does the company treat certain third-party apps differently for its own advantage. Uber was reportedly caught tracking iPhones even after the app was removed from the device.
Given the history of Uber, it would not be wrong to say that the company may have used it to track the frequency at which the customer opens other ride-hailing apps. The special Apple permission uses features found in iOS11.
The finger pointing really needs to be aimed towards Apple - why on earth would they give a company like Uber this much power?