Several security researchers recently discovered that Uber’s app leveraged a powerful API to record users’ iPhone screens. The API was used in an effort to improve performance of its Apple Watch app.
The API was something that Apple granted to them upon special request. Security researcher Will Strafach said Uber took advantage of an entitlement that allowed its app to record user screen information even while the app was running in the background.
Entitlements are basic bits of code that allow access to hardware and software features, but certain high-level entitlements are usually restricted to first-party apps. Strafach says Apple’s issuance of Uber’s particular entitlement is extremely rare, noting no other apps on the App Store aside from Apple’s own appear to benefit from the same functionality.
In a statement, researcher Luca Todesco said:
“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen. It can potentially steal passwords etc.”
Uber claims Apple explicitly allowed the use of the entitlement, which was subsequently used to improve memory management on Apple Watch. Specifically, older versions of Apple’s wearable were unable to render maps without the help of a paired iPhone. Rendering the map is obviously a main feature of Uber’s software.
In a statement to Gizmodo, Uber said the permission from Apple is no longer active and will be removed from the app. An Uber spokesperson said:
“It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app. This dependency was removed with previous improvements to Apple’s OS & our app. Therefore, we’re removing this API from our iOS codebase.”
Despite its potential as a snooping tool, Strafach notes there is no evidence that the permission was used maliciously.