Uber’s ride-sharing app is putting sensitive personal and corporate data at risk, according to research from Appthority. However, Uber says that research is flawed.
The firm pulled no punches, stating that “Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.”
Among the centerpieces in Appthority’s research is the assertion that Uber has increased the number of services running in the background of its Android app from none in early 2015 to 26 as of its latest release in March 2017. In addition, Appthority said that it found more than 600 third-party apps and services integrating with Uber’s APIs—raising the possibility that the services may be accessing data that is being collected even when the app is not in use, and they may not be following Uber’s privacy policy or handling the data securely.
“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead research scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”
For its part, an Uber spokesperson said that Appthority is using incomplete information to make conclusions about the way information is shared with developers through the APIs.
“We have strict terms of service for developers who use our APIs,” she told us. “Under this policy, we restrict the kind of information that can be shared with API partners and nothing can be shared without the user's explicit permission through their OAuth implementation. OAuth is an an open protocol and industry standard used by many companies to allow secure authorization with developers. Every app from Facebook to Yelp uses OAuth. However, sensitive Uber location information like pick up or drop off location is never shared.”
Those terms of service also require that any Uber data or data related to developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS).
“Even if an app requests data from Uber's API without HTTPS, we automatically redirect them to HTTPS before our server will respond. That way, the information is always encrypted,” she added.
However, Appthority said that its analysis showed that 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers. Also, 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber, and the researchers said that newer versions of Uber apps do not enforce HTTPS connections.
Appthority also said that, with the introduction of Uber for Business, organizations should be especially wary of the app.
“Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed,” the firm said. “In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.”
Uber’s spokesperson however noted, “Uber's enterprise services use different APIs than our consumer services, so none of the APIs in this report affect B2B customers.”