Uber’s ride-sharing app is putting sensitive personal and corporate data at risk, according to research from Appthority. However, Uber says that research is flawed.
The firm pulled no punches, stating that “Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.”
For its part, an Uber spokesperson said that Appthority is using incomplete information to make conclusions about the way information is shared with developers through the APIs.
“We have strict terms of service for developers who use our APIs,” she told us. “Under this policy, we restrict the kind of information that can be shared with API partners and nothing can be shared without the user's explicit permission through their OAuth implementation. OAuth is an an open protocol and industry standard used by many companies to allow secure authorization with developers. Every app from Facebook to Yelp uses OAuth. However, sensitive Uber location information like pick up or drop off location is never shared.”
Those terms of service also require that any Uber data or data related to developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS).
“Even if an app requests data from Uber's API without HTTPS, we automatically redirect them to HTTPS before our server will respond. That way, the information is always encrypted,” she added.
However, Appthority said that its analysis showed that 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers. Also, 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber, and the researchers said that newer versions of Uber apps do not enforce HTTPS connections.
Appthority also said that, with the introduction of Uber for Business, organizations should be especially wary of the app.
“Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed,” the firm said. “In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.”
Uber’s spokesperson however noted, “Uber's enterprise services use different APIs than our consumer services, so none of the APIs in this report affect B2B customers.”