Apple gave Uber access that could be used to record a user’s screen.
Uber is not exactly known as a “good guy”. In fact, there have been a few privacy issues which has got the name in the headlines previously. One of the most notable issues resulted in a very public “slap on the wrist” from Apple for “fingerprinting” devices.
So why would Apple give Uber permission to record user’s screens, even if the app is only running in the background?
Security researchers found a very specific entitlement granted to the Uber app. An entitlement is much like permissions which we are all used to, except that these are outside the area of a typical permission. An entitlement requires Apple’s explicit permission to use. And it seems this permission was granted to the Uber app. What does it do? “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” researcher Luca Todesco explained, “It can potentially steal passwords etc.”
Of course, Uber assures users that this is not what the entitlement was used for. Uber states that this function was used to support the Apple Watch app, and was only used in version 8.2 of it’s app. Since that version Uber states the entitlement has sat dormant in the app, and now that it has been brought to people’s attention, they will be removing it on upcoming versions.
Still, if I was an iPhone user (of course I am not) I would be quite concerned with Apple giving such a permission to a company that has played so fast and loose with user’s privacy already. Tim Cook can state that Apple will not provide back doors to law enforcement, but why are they providing front doors to commercial entities while users are left ignorant of Apple’s doings?