Uber's Android App Caught Reporting Data Back Without Permission 234
Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
So, in essence, Uber's app is malware (Score:5, Insightful)
How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.
Re:So, in essence, Uber's app is malware (Score:5, Insightful)
Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?
Re:So, in essence, Uber's app is malware (Score:5, Informative)
Re: (Score:3)
If you think that's bad, don't look at what Facebook Messenger wants access to.
Re: (Score:2)
If you think that's bad, don't look at what Facebook Messenger wants access to.
I did. That's why I uninstalled the Facebook app some time back.
Re: (Score:2)
Too late. Facebook has all your data already. So can just as well continue using it.
It has some of my data, but I stopped updating it when it started demanding permissions I wasn't willing to give it. It doesn't have any future data.
Re: (Score:2)
"It doesn't have any future data."
You hope not, anyway. If they have an accurate image of you, and/or if you tagged any "friends" who supply information about you - you're a little bit fokked. It may not be necessary for you to maintain an account for Facebook to update your status - alive, dead, incarcerated, employed, unemployed, married, on the prowl, whatever.
As for actual future data - seen any good movies lately?
http://en.wikipedia.org/wiki/M... [wikipedia.org]
Re: (Score:2)
I uninstalled years ago it after rejecting its new permissions that wanted to look into my phone history.
But if you want to think that your info is already out there and you might as well let it happen... fine by me. Whatever helps you sleep at night.
Think that's bad (Score:5, Informative)
retrieve running apps
read sensitive log data
Mobile data settings
change/intercept network settings and traffic
Location
precise location (GPS and network-based)
Photos / Media / Files
modify or delete the contents of your USB storage
test access to protected storage
Camera / Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
press keys and control buttons
read frame buffer
close other apps
update component usage statistics
force-stop other apps
modify secure system settings
view network connections
connect and disconnect from Wi-Fi
full network access
run at startup
read battery statistics
control vibration
close other apps
set wallpaper
install shortcuts
uninstall shortcuts
modify system settings
pair with Bluetooth devices
draw over other apps
Re:Think that's bad (Score:4, Informative)
That, actually, doesn't look all too onerous for such a product.
Of course I want my fancy remote-everything program to be able to manage the network, see the status of the network, use the network, vibrate, pair with devices, manage shortcuts (shortcut to email on the homescreen?), change settings (so that the remote apps can, you know, do their thing), draw on top (notifications), take pictures, use a microphone, use the camera, access files (do you like attachments with your email?) and read phone status and identity (it knows you're on the phone, just like every other app that handles audio).
I don't know why it needs precise location, but sheesh. At least it's not like Pandora, which is just a bloody streaming music player:
find accounts on the device
read your contacts
add or modify calendar events and send email to guests without owners' knowledge
test access to protected storage
modify or delete the contents of your USB storage
view Wi-Fi connections
read phone status and identity
receive data from Internet
install shortcuts
run at startup
full network access
pair with Bluetooth devices
connect and disconnect from Wi-Fi
change network connectivity
access Bluetooth settings
view network connections
prevent device from sleeping
Re:So, in essence, Uber's app is malware (Score:5, Informative)
You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.
Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.
Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.
Re: (Score:3)
>Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.
I don't XPect to like programs with an XTremely crappy habit of putting unnecessary Xs in front of words.
Re: (Score:2)
What about "Gn"s or "K"s?
Re:So, in essence, Uber's app is malware (Score:4, Informative)
"Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"
Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.
Re: (Score:2)
Interesting that they reversed themselves on that. Guess it became untenable for them to continue to choose the app developers' interest in data mining over the userbase's desire for privacy.
My point about custom roms being passe still stands. With a custom rom one is tied to accept the rom devs feature set and mods as an all or nothing deal. Conversely, with XPosed one can pick and choose which features to load and still keep access to OTA Android updates.
I've compiled my own custom ROMs from source and ev
OnePlus One equals no fake info (Score:2)
Re: (Score:3)
Not to worry ... Twitter wants in on that action [financialpost.com].
Yeah, no, thanks.
Didn't want your app before. Don't want it now.
This whole "free to use, but we get all your data" model of software is producing some pretty shitty stuff which is actively hostile to your privacy.
The only wa
Re:So, in essence, Uber's app is malware (Score:5, Insightful)
This -- although I don't even need your phone.
These days smartphones might as well just be GPS house-arrest bracelets with better PR.
Re:So, in essence, Uber's app is malware (Score:5, Interesting)
I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.
I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!
I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.
Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!
Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.
Re: (Score:3)
The usual excuse is but what if we confuse someone!?
Mozilla, too, are a fan of this sort of reasoning.
Re: (Score:3, Insightful)
What do you mean "have to agree"? In what sense do you "have" to? I've certainly never agreed (and in fact don't have Uber's app or other similar "ask for everything under the sun" apps), and have detected no one attempting to compel me to agree to anything I don't want to agree to.
Have we lost any and all ability as a culture to say "no" to things that are obviously unreasonable? That's all you have to do. Look at the list of permissions, decide that's too much, and refuse to install the app. It's rea
Re: (Score:3)
Re:So, in essence, Uber's app is malware (Score:5, Insightful)
But, cynically, how would you even know?
If they're collecting stuff against the app permissions, WTF would you trust them when they say "oh, sure, we've deleted your stuff".
If they collected anything beyond what they had explicit permissions for, you have to assume everything else is a bloody lie.
Re: (Score:2)
Re: (Score:3)
There are permissions viewers, but you may also find permission managers. I have one installed but my phone is charging.
Not sure if the app has been borked by updates since the last time I went and used it to revoke some permissions after installation. It may have been. Google has tampered a bunch with security settings.
I usually go adjust the permissions after installation but before first execution.
Ultimately, people should light a fire under Google to force app publishers to only request perms they reall
Re:So, in essence, Uber's app is malware (Score:5, Informative)
How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.
Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.
Re: (Score:2, Informative)
Re:Explanation of Uber permissions... (Score:5, Insightful)
Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.
Sorry for yelling, but it's an important point.
Also, there is no good reason to report back your data pertaining to malware.
Re: (Score:3)
The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.
Sorry for yelling, but it's an important point.
NO HE DID NOT.
Sorry for yelling, but it's an important point.
Go back and read the original GironSec blog post [gironsec.com] where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.
Re: (Score:3)
And a little bit of decompiled code like:
Re: (Score:3)
Yep, I didn't see the NextWeb response until after my post.
I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.
Re: (Score:3)
More to the point, why is it even possible for a third party app to access this much informaiton?
Why is Android allowing Uber to access the info? (Score:5, Informative)
If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.
It DOES have permission (Score:5, Insightful)
I just went to the google play store page for Uber [google.com], and checked the permissions the app requires. It includes:
Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.
So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.
And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:
1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).
I am not saying this is right, but this is a natural response to the incentives google faces.
Re:It DOES have permission (Score:5, Insightful)
There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.
Re:It DOES have permission (Score:5, Informative)
Re:It DOES have permission (Score:4, Insightful)
Agreed. It's absurd how many apps require all these permissions to be installed.
If you want the app, you agree to that.
I still haven't upgraded Waze since their new "social" integration required a ton more privileges, mostly to phone private info. And this despite running XPrivacy - I just can't be bothered to go through the whitelisting for it, when current version works well enough. Ditto the updated Google Search app.
It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user. Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"
So, I installed a little Fisher Price Animals app for kid, and set XPrivacy to "ask" mode. On startup, XPrivacy popups popped up indicating the app wanted my Localisation, Phone Identity, Telephone (calling/numbers - probably just so the app could know when a call was coming in if a kid was playing, but still, the sort of broad category Android requires for something like that), Sensors, some Shell cpu thingy I couldn't be bothered to figure out, but that it seems to run just fine without, and, Shell lib calls for the animal sounds.
But, yeah, you allow broad categories, some inoccuous, some just 'cause they want to know how many users they have or something, and, surprise!
Re: (Score:3)
I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:
Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.
So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.
What I don't understand is the SMS claim. Is Uber exploiting a vulnerability to get SMS data or do these other permissions somehow grant some kind of access to SMS as well?
There is a whole group of SMS privileges and according to the app store not a single one is being claimed... so what gives?
Re: (Score:2)
The problem is that permissions are not granular at all.
Make a phone call through app seems reasonable. But the permissions allows ALL phone data access. NSA metadata level. It's an all or nothing permission.
Google needs to get their shit together.
Re:It DOES have permission (Score:5, Insightful)
Google's "shit" is collecting your personal information to use to sell advertising. So, from that perspective, it's mission accomplished.
There isn't a whole lot of ways to reconcile how Google wants to make money from Android, with a desire user privacy.
My best guess is Google has crippled the privacy to ensure that commercial interests trump privacy interests.
Do you think they're going to provide an ability for users to kill off advertising in apps? Especially when Google profits from this?
My guess is this "simplified" permissions model they rolled out this year was specifically designed to ensure better access for apps.
Re: (Score:2)
Yeah, I really didn't expect Google to let those selling ads to collect less data :-)
More like android users actually need to get their shit together.
Re: (Score:2)
Not if you want to keep your private information private from Google, of course, but there's no reason why Uber or Clash of Whatever need to get in on the fun, or even know what targeted advertisements are being shown - they'll just need to designate a screen area for the operating system to draw the adverts in, and call fullScreenAdvertisement() at suitable points.
Re: (Score:2)
A third possibility is that the sms collection code is in the program, but is never actually called.
CyanogenMod (Score:4, Insightful)
CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.
Re: (Score:2)
There are tools that will let you edit app permissions after installation to remove some of them. Or at least I have installed and used those in past and hoped they worked. In some cases, apps check at startup and bork themselves like petulant children if they don't get what they want (even if they didn't need it) but others seem to run fine without the extraneous permissions (like ones that would allow linking to social media that I don't use so the function never gets invoked).
Ultimately, I should never h
Re: (Score:2)
And people still don't know what or why the app is asking for permissions and the vast majority will click yes anyway, resulting in exactly the same condition.
Not if my girlfriend is anything to go by. Her default when some app asks for an unexpected permission on her iPad is 'no'.
Most people can tell that Happy Fluffy Kitty Screensaver doesn't really need to send SMS messages, know your location, or access the Internet.
Re: (Score:3)
Most people can tell that Happy Fluffy Kitty Screensaver doesn't really need to send SMS messages, know your location, or access the Internet.
Why does a phone even need a screensaver?
Re:It DOES have permission (Score:5, Insightful)
No, in fact the vast majority of people who run an IOS app on an Apple device who see a permission request pop up that they don't like, say 'No', and the app continues to run just fine.
Even better, the apps on IOS tend not to request absurd permissions in the first place because they know those pop-ups will annoy their customers enough to either say 'no' anyway or not use the app in the first place. Its a black blotch for an IOS app to request permissions that it does not need, and Apple customers call them on it in the reviews.
Whereas with android, everything is quiet and silent and people run apps without really understanding what data they are giving away, EVEN if they have read the manifest... so app writers can get away with almost anything and consumer privacy on android is poorer for it.
-Matt
Re: (Score:2)
Well, the problem is apps ask for every damned permission just in case, and give little explanations as to why. That whole permission which says "this can cost you money" ... WTF does that mean? In what context?
And the other thing is Google won't give the ability to have discrete permissions on apps, or come back later and revoke some. I frequently get annoyed because I can't think of a single reason why an app actually needs a given permission.
Now, if the app can access this stuff even if it has no perm
Re: (Score:2)
It's my damned device, I want control over it.
That sinking feeling when the Google and Apple we all praise (fractions add up to a whole even if individually we meet in fanboy flamewars here), follow the new normal: we are the PRODUCT, not the consumer. Why accommodate US if it won't make them more cash? This is what happens when the slippery rope can't even be invoked because the system is designed from step 1 so all of us rope-walkers start at the bottom end of the rope, trying to climb up.
To us who come from Linux's rpm mirrors or open-repositories w
Re:Why is Android allowing Uber to access the info (Score:5, Informative)
Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.
It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.
Re: (Score:3)
Nobody knows about permissions. People just press "Accept".
The why does the summary say otherwise? According to the summary, the app is accessing data which it explicitly doesn't have permission to do.
Re: (Score:2)
If only there were a technology which enabled permissions to somehow be enforced by the operating-system itself...
Re:Why is Android allowing Uber to access the info (Score:5, Insightful)
You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.
Re: (Score:2)
The problem with being able to allow/deny individual permissions is the app developers now have 2^n configurations to test, instead of just one. Which is either going to lead to a much higher testing cost, or apps which are buggier when run with less than full requested permissions.
Re: (Score:2)
Poor app developers might actually have to spend time testing their apps.
My heart bleeds for them.
Re:Why is Android allowing Uber to access the info (Score:5, Insightful)
If this is your default answer, you're going to have a bad time.
The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.
That's a big WTF right there.
Re: (Score:3, Insightful)
OK, so I want to use their taxi service, but their app demands permissions it obviously doesn't need. Android gives me an option of installing it or not installing it.
Now what do you suggest I do?
Android's permission model is completely broken. It's the Windows of the modern world.
Re: (Score:3)
Your options are:
1) Uninstall it, get on with your life.
2) Decide this is so important you don't care about your privacy
3) Root your device and install something which gives you granular control.
From what I've been able to ascertain, rooting my first gen Nexus 7 is hit and miss, and I've not yet decided to take that step.
Me, I've mostly decided I need fewer apps, run my tablet in airplane mode most of the time, and would rather use a web browser than most apps.
As you said, Android's permission model is c
Re: (Score:2, Informative)
Don't install it.
You'll be okay. There are other ways to get a taxi. I promise.
Re: (Score:2)
They are over-charging scumbags with dodgy drivers, why would you want to use them? Don't support them until they sort their act out.
Re: (Score:2)
Re: (Score:3)
Easy, start screaming at Google to pull it's bloody finger out and make a much needed modification to permission to differentiate between unlimited permissions and user confirmed permissions every time a request is made, plus the opportunity to change this on the fly. Add in logs for access, that the user can readily confirm in order to change permissions if they don't like them. Send them emails, blog nasty things about them and stop installing apps until changes are made.
Re: (Score:2)
So yes, you're right. No app should be able to take your personal information without your consent. That isn't what's happening. The problem is that you're giving them your consent by using the software, you're just too lazy and ignorant to bother actually reading the legal terms, to take the five seconds or so it takes to scan the list of capabilities and permissions the app supposedly "requires" to run.
The text from TFA is as follows: "and your SMS and MMS logs, which it explicitly doesn't have permission to do."
What permission in the list of permissions asserted in the manifest grants SMS and MMS log access? Does it access your google account and download data from a backup? How is it doing it? Name the permission which enables this activity.
You hand the stuff over to them, you have nobody to blame but yourself. You certainly can't blame Android for "allowing" it because it doesn't "allow" it unless you EXPLICITLY ALLOW IT YOURSELF.
I'm not down with blaming the victim when a platform has been intentionally engineered to fuck over users.
The Uber app isn't a virus, it doesn't install itself through some unpatched exploit.
If facts asserted by TFA are correct it is spyware.
You get what you deserve. Truth hurts, I know, but blaming Android for your own, personal failings and naievety makes you look really fucking stupid.
Would
Re: (Score:3, Interesting)
They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.
Or they (google) made android such that it was more easy to spy/track people. User-friendliness has nothing to do with tracking. Why do games need access to call logs, need to launched at android startup, need access to your contact list? None. Yet, 90% of the top-downloaded games in the play store need access to your private data. Google is evil since they allow this without doing anything about it.
Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.
Re:Why is Android allowing Uber to access the info (Score:5, Insightful)
Google is evil since they allow this without doing anything about it.
Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.
Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.
Re: (Score:3)
Google didn't create Android, they backed it and later bought it. The original developers thought users were too dumb to use Linux, so they dumbed it down by stripping the security out of it to make it user friendly.
I don't really understand how this is 'true'. Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account. Android has a far *better* security model in this respect because it puts different applications in different users, so they can't get at each other. Also, permissions for system information is far more granular in Android than plain Linux, in Linux you
Re:Why is Android allowing Uber to access the info (Score:5, Insightful)
Apparently you are not familiar with SELinux.
Re: (Score:2)
No Android app is safe, auto updates of a safe app can make it unsafe with no notice to the user.
Patently not true. If an app needs new permissions in an update it must be explicily accepted by the user.
Android is *NOT* Linux ... (Score:2)
Because some idiot decided to strip the security out of Linux to make Android. No Android app is safe, auto updates of a safe app can make it unsafe with no notice to the user. They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.
Android is *NOT* Linux based, it is merely Linux hosted. Android is its own OS, its own environment. As such Android is perfectly free to have less or *more* security than Linux. There was no stripping security out, there was only how much security to build into this new and independent environment.
There is a way for apps to jump through some hoops and access Linux (NDK) but only about 25% of apps (last I read) do this. For the vast majority of Android Apps and Android Developers they are just like Andro
Spoofing (Score:5, Funny)
Tangentially, does anyone know of a procedure on Android which enables you to spoof your personal data and activity (at least as far as apps are concerned)?
Example: your name is Dorothy and you're in Kansas clicking your red ruby slippers together, but all apps see you as Toto, living down in Africa, blessing the rains.
Re: (Score:3, Insightful)
I haven't tried it yet but I think the Xposed module XPrivacy module can do that.
Comment removed (Score:5, Insightful)
Re: (Score:2)
I've fallen back to my old standby - Droidwall. It's an iptables firewall. Doesn't help with the apps which need Internet access to function, but works on everything
Re: (Score:2)
iPhone apps can't access call logs, installed apps, messages or pretty much anything else. They are sandboxed.
Re: XPosed and XPrivacy will lie for you! (Score:5, Insightful)
IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.
You can also turn off permissions granularly once an app is installed.
Twitter snooping into your medicine cabinet, too (Score:3, Informative)
Privacy backlash as Twitter starts to snoop on EVERY app users have on their phone [dailymail.co.uk]
Xprivacy and rooted for the win.. (Score:5, Interesting)
It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..
How about SuperSu? (Score:2)
They just took Google's motto (Score:2)
and tweaked the punctuation a bit, from "Don't Be Evil" to "Don't, Be Evil!"
BTW, am I the first one to notice that Uber is an anagram of "Rube" [merriam-webster.com]?
Traditional taxis and payphones (Score:2)
We sure are lucky, pay-phones weren't able to legally block the introduction and use of cell-phones. From what I hear, we weren't quite as lucky [wikipedia.org] with horse-drawn carriages being obsoleted by autos — but sanity prevailed.
Now the traditional — licensed — taxis are being obsoleted by Uber and the likes and that is a good thing, even if the taxi industry and the rent-seeking city halls don't like it.
All, that cabbie-lice
Hubris (Score:2)
Not the only app (Score:2)
My mom has an android tablet and whenever we check what an app (mostly games) asks for, it's astounding. Why is a game asking for contacts, call logs (ok, in her case not a problem), and other info? some info like geolocation is fine (at the limit), but Google really should do a big cleanup.
Say what you will about iOS, but being more restrictive about what an app can fetch is not a bad thing.
Granting permission requests shouldn't be automati (Score:2)
Incorrect analysis (Score:5, Informative)
Incorrect analysis by the original blog. Please see this nextweb article which clarifies
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/
Re:Incorrect analysis (Score:4, Informative)
Mod parent up. The summary and the article are complete lies. The summary/article is claiming the app was caught sending the data. Looking at the actual original blog post mentioned by the article, some person decompiled the uber app code, and they found some suspiciously named functions that suggest the app might look up data it should not. They never claimed that the app actually sent any of their data, in fact they specifically say there may not be an issue. The parent's linked article actually shows some (limited) analysis done by someone who was actually intercepting device traffic, and there was nothing suspicious.
A more accurate title would be "Uber app contains suspicious looking method names, more analysis needed"
MODS ARE DICKS (Score:2)
Just check - every thread about "nextweb" and its analysis that this blog is incorrect is modded 0 points.
This thread is modded 0 points.
Your note is modded 0 points.
Apparently "sharing the real facts" and "debunking the hysteria" is modded down.
Discussions about how Google/Android are bad, permissions aren't granular, uber is bad, uber has a German name so they must be worse still, etc... those are modded 4-5.
Happy thanksgiving.
Mods - go meta-mod your "peers". They are out of control.
E
E
Re: (Score:3)
"Suspicious" is an understatement. Here's the offending code:
über alles (Score:2)
Uber wants "Uber über alles!"
I'm shocked (Score:2)
Hands up who is surprised by this? Anyone?
I'm sure a little careful digging in their TOS/EULA and you'll see that you already agreed to give all your secrets to them.
AT&T made deal with Uber to preinstall the app (Score:2)
Every AT&T android phone comes with this preinstalled.
Re: (Score:3)
Re:It's a storage site (Score:5, Insightful)
Re: (Score:2)
I just deleted my uber app and will use left going forward
Re: (Score:3)
Re: (Score:2)
You know what, eff uber. They can keep my data. They're not getting any more of my money.
Re: (Score:2)
Welcome to the world where capital rules. Don't say communism is better, its the world where crazy old alcoholics rule.
One thing about old-style Soviet communism - old alcoholics become dead alcoholics a lot quicker. Or they're "retired".
Re: (Score:3)
Re: (Score:2, Informative)
Yes you are correct, however what are you supposed to do?
It's all or nothing with Android. It's not like you can exchange your phone for a different platform that has better permissions if you decide it's too much.
Google should change the way it works.
Re: (Score:2)
Google changed the way the permissions are described in order to combine non-invasive permissions and invasive permissions under the same label. Even a person reading the permissions off doesn't really have a clue about how much access the app actually has to their data.
In anycase, this is why I stopped using Android phones and went with iOS. Apps can't play these sorts of games on iOS.
-Matt