Uber’s iPhone app has a secret backdoor to powerful Apple features, allowing the ride-hailing service to potentially record a user’s screen and access other personal information without their knowledge.
The existence of Uber’s access to special iPhone functions is not disclosed in any consumer-facing information included with Uber’s app, despite giving the company direct access to features so powerful that Apple almost always keeps them off limits to outside companies.
Although there is no evidence that Uber used this access to take advantage of the iPhone features, the revelation of the app’s access to privileged Apple code raises important questions for a company already under investigation for a variety of controversial business practices.
Uber told Business Insider the code was not currently being used and was essentially a vestige from an earlier version of its Apple Watch app, but it set off alarm bells among experts.
“Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilize certain privileged system functionality,” Will Strafach, a security researcher who discovered the situation, told Business Insider.
Here’s how it works
Nearly every iPhone app uses what is called an “entitlement” — basically a way for software to enable features like the camera or Apple Pay on iPhones and iPads. Most of these can be easily found and officially turned on by outside app developers.
But there are certain entitlements that are only used by Apple, giving the company’s own software tight integration with the iPhone. These bits are marked with names that start with “com.apple.private,” and they are are considered so sensitive that any third-party app found using them is rejected from the App Store.
After digging around in the code for Uber’s app, Strafach discovered that it uses an entitlement called “com.apple.private.allow-explicit-graphics-priority.”
“It is very odd to see Uber as the only app (I checked tens of thousands of other apps using my company’s internal dataset derived from the App Store) besides Apple’s own apps granted access to this sensitive entitlement,” Strafach said in an email. Another person said that no other of the 200 top free apps use private Apple entitlements.
Uber says Apple gave it permission to use the private entitlement, which it used for an earlier version of its Apple Watch app to render maps on the iPhone. The entitlement is not currently being used, Uber says.
“Apple gave us this permission because early versions of Apple Watch were unable to adequately handle the level of map rendering in the Uber app,” Uber representative Melanie Ensign told Business Insider. “Subsequent updates to Apple Watch and our app removed this dependency and we’re working with Apple to remove the API completely.”
Lot of other iOS developers would like special access to private Apple entitlements for both legitimate and illegitimate purposes.
The one Uber was using, for example, could be used to record a user’s screen, Thomas Jansen, founder of security research company Crissy Field said. “Imagine any app would be able to use an entitlement like that and just record your screen without you knowing,” he said. That’s why Apple doesn’t allow just any company to use private entitlements.
Apple didn’t comment. But one reason why Apple may have let Uber use this sensitive piece of code — which likely would have needed to have been approved by senior management — is because the Uber app was demonstrated on-stage when it launched the Apple Watch in 2015 and Uber was a launch app for the Apple Watch.