Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Transportation Your Rights Online

Uber's Android App Caught Reporting Data Back Without Permission 234

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
This discussion has been archived. No new comments can be posted.

Uber's Android App Caught Reporting Data Back Without Permission

Comments Filter:
  • by Anonymous Coward on Thursday November 27, 2014 @11:22AM (#48474275)

    How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

    • by 0123456 ( 636235 ) on Thursday November 27, 2014 @11:25AM (#48474315)

      Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

      • by Greyfox ( 87712 ) on Thursday November 27, 2014 @11:46AM (#48474455) Homepage Journal
        You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone. Adding that functionality ought to be a no-brainer, but Google owns Youtube and Youtube just HAS to have access to your phone's camera for some reason. I'm guessing so they can watch you while you're masturbating. [youtube.com]
        • by Tukz ( 664339 )

          If you think that's bad, don't look at what Facebook Messenger wants access to.

          • by 0123456 ( 636235 )

            If you think that's bad, don't look at what Facebook Messenger wants access to.

            I did. That's why I uninstalled the Facebook app some time back.

          • Think that's bad (Score:5, Informative)

            by goldcd ( 587052 ) on Thursday November 27, 2014 @02:44PM (#48475339) Homepage
            Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
            retrieve running apps
            read sensitive log data
            Mobile data settings
            change/intercept network settings and traffic
            Location
            precise location (GPS and network-based)
            Photos / Media / Files
            modify or delete the contents of your USB storage
            test access to protected storage
            Camera / Microphone
            record audio
            Wi-Fi connection information
            view Wi-Fi connections
            Device ID & call information
            read phone status and identity
            Other
            press keys and control buttons
            read frame buffer
            close other apps
            update component usage statistics
            force-stop other apps
            modify secure system settings
            view network connections
            connect and disconnect from Wi-Fi
            full network access
            run at startup
            read battery statistics
            control vibration
            close other apps
            set wallpaper
            install shortcuts
            uninstall shortcuts
            modify system settings
            pair with Bluetooth devices
            draw over other apps
            • Re:Think that's bad (Score:4, Informative)

              by adolf ( 21054 ) <flodadolf@gmail.com> on Thursday November 27, 2014 @11:28PM (#48477173) Journal

              That, actually, doesn't look all too onerous for such a product.

              Of course I want my fancy remote-everything program to be able to manage the network, see the status of the network, use the network, vibrate, pair with devices, manage shortcuts (shortcut to email on the homescreen?), change settings (so that the remote apps can, you know, do their thing), draw on top (notifications), take pictures, use a microphone, use the camera, access files (do you like attachments with your email?) and read phone status and identity (it knows you're on the phone, just like every other app that handles audio).

              I don't know why it needs precise location, but sheesh. At least it's not like Pandora, which is just a bloody streaming music player:

                      find accounts on the device
                      read your contacts
                      add or modify calendar events and send email to guests without owners' knowledge
                      test access to protected storage
                      modify or delete the contents of your USB storage
                      view Wi-Fi connections
                      read phone status and identity
                      receive data from Internet
                      install shortcuts
                      run at startup
                      full network access
                      pair with Bluetooth devices
                      connect and disconnect from Wi-Fi
                      change network connectivity
                      access Bluetooth settings
                      view network connections
                      prevent device from sleeping

        • by stoploss ( 2842505 ) on Thursday November 27, 2014 @12:41PM (#48474791)

          You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.

          Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.

          Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

          • >Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

            I don't XPect to like programs with an XTremely crappy habit of putting unnecessary Xs in front of words.

          • by hankwang ( 413283 ) on Thursday November 27, 2014 @01:19PM (#48474979) Homepage

            "Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"

            Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.

            • Interesting that they reversed themselves on that. Guess it became untenable for them to continue to choose the app developers' interest in data mining over the userbase's desire for privacy.

              My point about custom roms being passe still stands. With a custom rom one is tied to accept the rom devs feature set and mods as an all or nothing deal. Conversely, with XPosed one can pick and choose which features to load and still keep access to OTA Android updates.

              I've compiled my own custom ROMs from source and ev

        • Not to worry ... Twitter wants in on that action [financialpost.com].

          "To help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in," the company said.

          Yeah, no, thanks.

          Didn't want your app before. Don't want it now.

          This whole "free to use, but we get all your data" model of software is producing some pretty shitty stuff which is actively hostile to your privacy.

          The only wa

          • by AJWM ( 19027 ) on Thursday November 27, 2014 @01:38PM (#48475057) Homepage

            This -- although I don't even need your phone.

            These days smartphones might as well just be GPS house-arrest bracelets with better PR.

            • by Anonymous Coward on Thursday November 27, 2014 @02:14PM (#48475187)

              I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.

              I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!

              I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.

              Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!

              Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        What do you mean "have to agree"? In what sense do you "have" to? I've certainly never agreed (and in fact don't have Uber's app or other similar "ask for everything under the sun" apps), and have detected no one attempting to compel me to agree to anything I don't want to agree to.

        Have we lost any and all ability as a culture to say "no" to things that are obviously unreasonable? That's all you have to do. Look at the list of permissions, decide that's too much, and refuse to install the app. It's rea

      • There are permissions viewers, but you may also find permission managers. I have one installed but my phone is charging.

        Not sure if the app has been borked by updates since the last time I went and used it to revoke some permissions after installation. It may have been. Google has tampered a bunch with security settings.

        I usually go adjust the permissions after installation but before first execution.

        Ultimately, people should light a fire under Google to force app publishers to only request perms they reall

    • by jareth-0205 ( 525594 ) on Thursday November 27, 2014 @12:04PM (#48474549) Homepage

      How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

      Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.

    • Re: (Score:2, Informative)

      Comment removed based on user account deletion
      • by bouldin ( 828821 ) on Thursday November 27, 2014 @05:26PM (#48475881)

        Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

        Sorry for yelling, but it's an important point.

        Also, there is no good reason to report back your data pertaining to malware.

        • The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

          Sorry for yelling, but it's an important point.

          NO HE DID NOT.

          Sorry for yelling, but it's an important point.

          Go back and read the original GironSec blog post [gironsec.com] where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.

          • And a little bit of decompiled code like:

            public void run()
            {
            Looper.prepare();
            InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
            InAuthManager.getInstance().sendAccountsLog(this.val$transID);
            InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
            InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID

          • by bouldin ( 828821 )

            NO HE DID NOT. Sorry for yelling, but it's an important point.

            Yep, I didn't see the NextWeb response until after my post.

            I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.

            Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothi

    • More to the point, why is it even possible for a third party app to access this much informaiton?

  • by ShanghaiBill ( 739463 ) on Thursday November 27, 2014 @11:25AM (#48474301)

    If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.

    • by Anonymous Coward on Thursday November 27, 2014 @11:34AM (#48474373)

      I just went to the google play store page for Uber [google.com], and checked the permissions the app requires. It includes:

      Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

      So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

      And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

      1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
      2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

      I am not saying this is right, but this is a natural response to the incentives google faces.

      • by Anonymous Coward on Thursday November 27, 2014 @11:42AM (#48474431)

        There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

      • by Derek Pomery ( 2028 ) on Thursday November 27, 2014 @11:48AM (#48474465)

        Agreed. It's absurd how many apps require all these permissions to be installed.

        If you want the app, you agree to that.
        I still haven't upgraded Waze since their new "social" integration required a ton more privileges, mostly to phone private info. And this despite running XPrivacy - I just can't be bothered to go through the whitelisting for it, when current version works well enough. Ditto the updated Google Search app.

        It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user. Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"

        So, I installed a little Fisher Price Animals app for kid, and set XPrivacy to "ask" mode. On startup, XPrivacy popups popped up indicating the app wanted my Localisation, Phone Identity, Telephone (calling/numbers - probably just so the app could know when a call was coming in if a kid was playing, but still, the sort of broad category Android requires for something like that), Sensors, some Shell cpu thingy I couldn't be bothered to figure out, but that it seems to run just fine without, and, Shell lib calls for the animal sounds.
        But, yeah, you allow broad categories, some inoccuous, some just 'cause they want to know how many users they have or something, and, surprise!

      • I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

        Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

        So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

        What I don't understand is the SMS claim. Is Uber exploiting a vulnerability to get SMS data or do these other permissions somehow grant some kind of access to SMS as well?

        There is a whole group of SMS privileges and according to the app store not a single one is being claimed... so what gives?

      • CyanogenMod (Score:4, Insightful)

        by brunes69 ( 86786 ) <slashdot@keir[ ]ad.org ['ste' in gap]> on Thursday November 27, 2014 @01:12PM (#48474941)

        CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.

      • There are tools that will let you edit app permissions after installation to remove some of them. Or at least I have installed and used those in past and hoped they worked. In some cases, apps check at startup and bork themselves like petulant children if they don't get what they want (even if they didn't need it) but others seem to run fine without the extraneous permissions (like ones that would allow linking to social media that I don't use so the function never gets invoked).

        Ultimately, I should never h

    • Well, the problem is apps ask for every damned permission just in case, and give little explanations as to why. That whole permission which says "this can cost you money" ... WTF does that mean? In what context?

      And the other thing is Google won't give the ability to have discrete permissions on apps, or come back later and revoke some. I frequently get annoyed because I can't think of a single reason why an app actually needs a given permission.

      Now, if the app can access this stuff even if it has no perm

      • It's my damned device, I want control over it.

        That sinking feeling when the Google and Apple we all praise (fractions add up to a whole even if individually we meet in fanboy flamewars here), follow the new normal: we are the PRODUCT, not the consumer. Why accommodate US if it won't make them more cash? This is what happens when the slippery rope can't even be invoked because the system is designed from step 1 so all of us rope-walkers start at the bottom end of the rope, trying to climb up.

        To us who come from Linux's rpm mirrors or open-repositories w

    • by oogoliegoogolie ( 635356 ) on Thursday November 27, 2014 @01:13PM (#48474947)

      Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
      If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.

      It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.

  • Spoofing (Score:5, Funny)

    by korbulon ( 2792438 ) on Thursday November 27, 2014 @11:28AM (#48474323)

    Tangentially, does anyone know of a procedure on Android which enables you to spoof your personal data and activity (at least as far as apps are concerned)?

    Example: your name is Dorothy and you're in Kansas clicking your red ruby slippers together, but all apps see you as Toto, living down in Africa, blessing the rains.

    • Re: (Score:3, Insightful)

      by Billhead ( 842510 )

      I haven't tried it yet but I think the Xposed module XPrivacy module can do that.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday November 27, 2014 @11:49AM (#48474469)
      Comment removed based on user account deletion
    • As others have pointed out, XPrivacy does exactly that [xda-developers.com]. Unfortunately, it runs on top of the Xposed Framework [xda-developers.com], which was coded assuming Dalvik. ART breaks it, and Lollipop has switched over entirely to ART. According to the developer it's going to be a monumental task rewriting it to work under ART, and not to expect anything until 2015.

      I've fallen back to my old standby - Droidwall. It's an iptables firewall. Doesn't help with the apps which need Internet access to function, but works on everything
  • by popoutman ( 189497 ) * on Thursday November 27, 2014 @11:43AM (#48474439) Journal
    Makes me very happy that I have XPrivacy installed on my rooted S4 Active, and I now have a fine-grained security model with the ability to control what apps have access to what.

    It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..

    • This app just popped up on my wife's phone, wanting to update itself. I had no idea what it is, so Googled it... "SuperSU is a Superuser management tool for rooted devices". "SuperSU Brings Better SuperUser Root Permission Management to Android" I still don't have a clue as what I would actually do with such an app. Everything I read about it just leaves me more confused. I have two questions - what is it doing on my wife's phone, that I recently did a factory reset on, and 2.) Would this app somehow allow
  • and tweaked the punctuation a bit, from "Don't Be Evil" to "Don't, Be Evil!"

    BTW, am I the first one to notice that Uber is an anagram of "Rube" [merriam-webster.com]?

  • core business model is, frankly, illegal in most of its markets as well.

    We sure are lucky, pay-phones weren't able to legally block the introduction and use of cell-phones. From what I hear, we weren't quite as lucky [wikipedia.org] with horse-drawn carriages being obsoleted by autos — but sanity prevailed.

    Now the traditional — licensed — taxis are being obsoleted by Uber and the likes and that is a good thing, even if the taxi industry and the rent-seeking city halls don't like it.

    All, that cabbie-lice

  • The hubris of Uber will be its undoing. They are quickly and loudly showing their true colors. One could only hope that enough drivers wise up to the Uber mafia and organize a labor stoppage to teach them a lesson in free market economics.
  • My mom has an android tablet and whenever we check what an app (mostly games) asks for, it's astounding. Why is a game asking for contacts, call logs (ok, in her case not a problem), and other info? some info like geolocation is fine (at the limit), but Google really should do a big cleanup.

    Say what you will about iOS, but being more restrictive about what an app can fetch is not a bad thing.

  • As part of the app approval process developers should be required to explain why they want certain sensitive permissions, such as access to contacts, messages etc. Google should then deny approval of apps that overreach in terms of permission requests.
  • Incorrect analysis (Score:5, Informative)

    by Anonymous Coward on Thursday November 27, 2014 @12:22PM (#48474685)

    Incorrect analysis by the original blog. Please see this nextweb article which clarifies
    http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

    • by Anonymous Coward on Thursday November 27, 2014 @01:17PM (#48474967)

      Mod parent up. The summary and the article are complete lies. The summary/article is claiming the app was caught sending the data. Looking at the actual original blog post mentioned by the article, some person decompiled the uber app code, and they found some suspiciously named functions that suggest the app might look up data it should not. They never claimed that the app actually sent any of their data, in fact they specifically say there may not be an issue. The parent's linked article actually shows some (limited) analysis done by someone who was actually intercepting device traffic, and there was nothing suspicious.
       
      A more accurate title would be "Uber app contains suspicious looking method names, more analysis needed"

      • Just check - every thread about "nextweb" and its analysis that this blog is incorrect is modded 0 points.

        This thread is modded 0 points.

        Your note is modded 0 points.

        Apparently "sharing the real facts" and "debunking the hysteria" is modded down.
        Discussions about how Google/Android are bad, permissions aren't granular, uber is bad, uber has a German name so they must be worse still, etc... those are modded 4-5.

        Happy thanksgiving.
        Mods - go meta-mod your "peers". They are out of control.

        E

        E

      • "Suspicious" is an understatement. Here's the offending code:

        public void run()
        {
        Looper.prepare();
        InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
        InAuthManager.getInstance().sendAccountsLog(this.val$transID);
        InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
        InAuthManager.getInstance().sendAppDataUsage

  • Uber wants "Uber über alles!"

  • Hands up who is surprised by this? Anyone?

    I'm sure a little careful digging in their TOS/EULA and you'll see that you already agreed to give all your secrets to them.

  • Every AT&T android phone comes with this preinstalled.

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...