Security researchers are reporting that Apple allowed Uber to use technology that could record a user’s iPhone screen, even when the Uber app was only running in the background.
As per Gizmodo, researchers — who remain anonymous — said that Uber intended to use the data to improve functionality between its iOS app and the Apple Watch. After researchers discovered the tool in use, Uber confirmed it was disabled and removed the feature from its app.
“It was used for an old version of the Apple Watch app,” an Uber spokesperson told Gizmodo. “This dependency was removed with previous improvements to Apple’s OS and our app. Therefore, we’re removing this API from our iOS codebase.”
According to the researchers, the screen recording ability comes from an “entitlement” — code that Apple permits app developers to use for common functions like enabling push notifications or iCloud integration.
However, Will Strafach, a security researcher and CEO of the New York-based Sudo Security Group, told Gizmodo that he wasn’t able to find any other apps with such a screen recording entitlement on the App Store.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach told the tech site. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
Uber told Gizmodo that “Apple gave us this permission years ago because Apple Watch couldn’t handle our maps rendering.”
Although Uber says its intention was merely to improve Apple Watch app functionality, privacy concerns have also been raised, such as potential secret iPhone activity monitoring. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” Luca Todesco, a researcher and iPhone jailbreaker, told Gizmodo. “It can potentially steal passwords, etc…”
Strafach said he hadn’t found any indication that Uber’s tech was used maliciously, however.