This article was published on October 6, 2017

Report: Uber app can secretly record your iPhone screen thanks to special ‘entitlement’


Report: Uber app can secretly record your iPhone screen thanks to special ‘entitlement’

A security researcher this week uncovered special permissions in Uber’s app that allow the company to access new screen-recording features in iOS 11.

Will Strafach, the researcher that uncovered the “entitlement,” said these features are normally off limits to app developers without special permission from Apple. To his knowledge, Strafach told ZDNet’s Zach Whittaker, Uber is the only third-party app granted such an entitlement.

The specific permission, Apple expert and jailbreak author Luca Todesco told ZDNet, is known as “com.apple.private.allow-explicit-graphics-priority.” It allows developers to read and write to part of the iPhone’s memory that contains pixel and display data. He compared Uber’s access to that of giving app developers keylogging abilities for iPhone users.

While dubious-sounding, the entitlement was in place before the release of iOS 11, and the company doesn’t appear to have been recording screens, nor would we presume it intended to at any point in the future. Sources familiar with the matter tell TNW the feature was originally intended to improve resource management in the Apple Watch. But while the entitlement may not have been intended for recording screens, the worry is that hackers could breach Uber’s network and do just that.

It’s also unclear why Apple would grant such an entitlement in the first place, given Uber’s past indiscretions. Just last year Apple CEO Tim Cook warned the company against tracking iOS users, even threatening to kick Uber out of the App Store if it was caught violating the rules again, according to a NY Times report.

We’ve reached out to Apple for comment, and hope to learn more as the story continues to develop.

Update (4:03 PDT): An Uber spokesperson reached out to TNW and offered the following commentary about the report.

This API isn’t connected to anything in our current codebase, meaning it’s non-functional & there’s no existing feature using it. It was only ever used to render maps for an early version of our Apple Watch app, but has been dormant for quite some time.
We are working with Apple to remove it completely ASAP.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with