Uber’s iPhone app has a secret back door to powerful Apple features, allowing the ride-hailing service to potentially record a user’s screen and access other personal information without their knowledge. This access to special iPhone functions — which are so powerful that Apple almost always keeps them off-limits to outside companies — is not disclosed in any consumer-facing information included with Uber’s app. Although there is no evidence that Uber used its access to take advantage of the iPhone features, the revelation that the app has access to privileged Apple code raises important questions for a company already under investigation for other controversial business practices.
Uber told Business Insider the code was not being used and was essentially a
vestige of an earlier version of its Apple Watch app. However, it has set off alarm bells among experts. “Granting such a sensitive entitlement to a third party is unprecedented, as far as I can tell — no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilise certain privileged system functionality,” Will Strafach, a security researcher who discovered the situation, told Business Insider. Nearly every iPhone app uses what is called an “entitlement” — basically, a way for software to enable features like the camera or Apple Pay on iPhones and iPads. Most of these can be easily found and turned on by outside app developers. But there are certain entitlements used only by Apple, giving the company’s software tight integration with the iPhone. These bits have names that start with “com.apple.private,” and they are considered so sensitive that any third-party app found using them is rejected from the App Store. After digging around in the code of Uber’s app, Strafach discovered it used an entitlement called
“com.apple.private.allow-explicit-graphics-priority.” He added, “It is very odd to see Uber as the only app (I checked tens of thousands of other apps using my company’s internal data set derived from the App Store) besides Apple’s own apps granted access to this sensitive entitlement,” Strafach said in an email.
Another person said that out of the top 200 free apps, no other used private Apple entitlements. Uber says Apple gave it permission to use the private entitlement and that it used it for an earlier version of its Apple Watch app to render maps on the iPhone. “Apple gave us this permission because early versions of Apple Watch were unable to adequately handle the level of map rendering in the Uber app,” an Uber representative, Melanie Ensign, told Business Insider. “Subsequent updates to Apple Watch and our app removed this dependency, and we’re working with Apple to remove the API completely.” Lots of other iOS developers would like special access to private Apple entitlements for a variety of purposes. The one Uber was using, for example, could be used to record a user’s screen, said Thomas Jansen, the founder of the security research company Crissy Field. “Imagine any app would be able to use an entitlement like that and just record your screen without you knowing,” he said. That’s why Apple doesn’t allow just any company to use private entitlements. Apple didn’t comment. But one reason Apple may have let Uber use this sensitive piece of code — which most likely would have needed approval from senior management.
Uber has previously been caught violating the rules of the App Store, and it has a history of pushing boundaries when it comes to building software that may break laws or be unethical. After Uber was found to have used internal Apple abilities to tag and track individual iPhones even after they were wiped, the former Uber CEO Travis Kalanick was summoned to Apple’s headquarters. There, Apple CEO Tim Cook scolded him and, in a private meeting with Kalanick, threatened to pull the Uber app from the App Store, The New York Times reported. The meeting reportedly took place in early 2015, around the time Apple launched the Apple Watch. “I guess there is some kind of extremely special relationship there, considering Apple granted them exclusive access to a privileged IOKit API a little while after they were abusing other unrelated IOKit APIs in violation of the App Store rules (with no repercussions at all),” Strafach said. The deception apparently didn’t scare Apple. Texts published as part of a lawsuit revealed that Kalanick privately said he continued to meet with Cook — including, supposedly, once in May 2016. Apple became an Uber investor through its investment in the Chinese ride-hailing company Didi Chuxing. In 2016, Didi merged with Uber’s Chinese subsidiary. Kalanick resigned in June. Uber’s current CEO, Dara Khosrowshahi, has not yet publicly said anything about the $69 billion startup’s relationship with Apple, but he has addressed the company’s culture of rule bending. A recent change to iOS, the software that powers iPhones, allowed Uber users to prevent the app from collecting their location while they weren’t using it.