Yes, you heard it right! The taxi-hailing app can now record and therefore can access everything on your iPhone’s screen, even when the app is running in the background. This security breech had been discovered by analysts as per a report published in The Independent.
The software has a special permission, which is not process-able in most apps, allowing it to gain access on everything that iPhone users scroll through on their handsets, which includes passwords and private pictures.
According to Uber officials, the feature is not in use and will be removed soon, however owing to the fact that it could actually allow the company to spy on its users’ personal data, which is extremely worrying and illegal as well.
It was spotted by security researcher Will Strafach, who described it as “very unusual”and said it was “totally unprecedented” that Apple granted permission to the app company. Fellow security researcher Luca Todesco added, “What???? Uber has this? It allows them to record the screen even when app is closed and potentially steal sensitive info.”
The entitlement isn’t commonly granted, and Uber would have had to get direct permission from Apple in order to implement it. “It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Mr Strafach told Gizmodo. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”
According to Uber spokesperson Melanie Ensign, the permission was granted in order for Uber to work better with the Apple Watch.
An Uber spokesperson told the Independent: “This API was only used for a short period of time on an old version of our Apple Watch app. It enabled the app to run the memory-intensive rendering of maps on the iPhone and then send the image to the Watch app.”
“It was never used for any other purpose and has been nonfunctional in our code for quite some time. The memory limitation of Apple Watch was fixed by subsequent updates in the OS and we’ve issued an update to our app to remove the API completely.”