A single blog post sparked a strange, worrying headline this week: “Uber’s app is literally malware,” proclaimed a thread on Hacker News.
Despite the blog post itself being oddly inflammatory, a number of media outlets have picked up the story’s claims that Uber may send unnecessary amounts of data back from your phone, like your private SMS’ and images stored on your phone.
Let’s nip this one in the bud: it’s incredibly unlikely that Uber’s app is any kind of malware, and from our investigations, the worries in the original post are unfounded. The majority of the permissions listed in the post that calls the company out for being too broad with permissions are required by Android to do many of the app’s basic functions.
Despite what some are claiming, there’s no evidence that Uber accesses any data on your phone other than that used explicitly for the purpose of getting you a ride, nor does it send any of your SMS’, images or other data off your phone.
There’s no reason for Uber to collect data beyond what it needs; it’s certainly not in the company’s best interest.
As it turns out, Uber even has its own page that explains many of its own install permissions for this very reason. Let’s go over the list of permissions requested by the Uber app upon install, one by one and explain what each one does using the app’s functionality to guide us:
- Location: Uber needs to know where you are so you can get picked up. Surprise!
- Contacts: For splitting fares with friends, inviting friends to use Uber
- Phone: To call your Uber driver or for them to call you
- Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning
- Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location
- Device ID and Call Information: Allows access to your phone number and a unique ID for your device
- Identity: Allows Android users to sign in and pay with one tap (using the Google Sign-In and Google Wallet services)
- Photos/Media/Files: Uber says this is to “save data and cache mapping vectors.”
Remember the Facebook Messenger permissions that scared everyone just a few months ago? Those same scary permissions turned out to be entirely used for legitimate reasons.
Indeed, in a statement to Cult of Mac as an update to its story on the matter, Uber says “Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”
Still worried? Fair enough; I did some digging to verify Uber’s not doing what the blog claimed it might be doing.
I set up my Android phone to have its traffic intercepted by my Mac for around 30 minutes. I monitored from when I downloaded it, to when I logged in and ordered a cab, as well as in the background. It’s not extensive, but it’s enough to see if anything fishy is going on.
Below you can see the most information that I saw Uber ever send off my device (note: this information was fully encrypted and is only readable as I added a certificate to the phone that allowed me to decrypt the data).
Uber sends back information like your location, phone number and email address — which is expected — along with data about your phone like the model number, OS version and serial number of the device. This information being used is incredibly valuable for development teams to help debug their apps when building them and can be found in most apps.
I couldn’t find any instance of Uber sending back any further detailed information than this, certainly not the SMS log or call history.
Perhaps the issue here isn’t apps asking for too many permissions, but instead the way they’re presented to the user. Android users continue to be scared away by permissions on the platform, when in reality they’re simply asking for details they need to perform basic functions.
In the blog post that started all of this, the writer himself notes “Maybe Uber evil [sic]. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.”
For Uber on Android, there’s nothing to worry about. These permissions aren’t worrisome like they’re being made out to be.
Get the TNW newsletter
Get the most important tech news in your inbox each week.