Firm Accuses Uber App of Being a Privacy Nightmare

[Exterminator]

Uber’s ride-sharing app is putting sensitive personal and corporate data at risk, according to research from Appthority. However, Uber says that research is flawed.

The firm pulled no punches, stating that “Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.”

Among the centerpieces in Appthority’s research is the assertion that Uber has increased the number of services running in the background of its Android app from none in early 2015 to 26 as of its latest release in March 2017. In addition, Appthority said that it found more than 600 third-party apps and services integrating with Uber’s APIs—raising the possibility that the services may be accessing data that is being collected even when the app is not in use, and they may not be following Uber’s privacy policy or handling the data securely.

“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead research scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”

For its part, an Uber spokesperson said that Appthority is using incomplete information to make conclusions about the way information is shared with developers through the APIs.

“We have strict terms of service for developers who use our APIs,” she told us. “Under this policy, we restrict the kind of information that can be shared with API partners and nothing can be shared without the user's explicit permission through their OAuth implementation. OAuth is an an open protocol and industry standard used by many companies to allow secure authorization with developers. Every app from Facebook to Yelp uses OAuth. However, sensitive Uber location information like pick up or drop off location is never shared.”

Those terms of service also require that any Uber data or data related to developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS).

“Even if an app requests data from Uber's API without HTTPS, we automatically redirect them to HTTPS before our server will respond. That way, the information is always encrypted,” she added.

However, Appthority said that its analysis showed that 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers. Also, 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber, and the researchers said that newer versions of Uber apps do not enforce HTTPS connections.

Appthority also said that, with the introduction of Uber for Business, organizations should be especially wary of the app.

“Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed,” the firm said. “In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.”

Uber’s spokesperson however noted, “Uber's enterprise services use different APIs than our consumer services, so none of the APIs in this report affect B2B customers.”

 

[Bot]

Somewhere in the supply chain of some Android phones that reached two companies, there was a weak link which allowed 38 devices to become infected with malware.

According to Check Point Software Technologies, several malware types were found on 38 Android devices that landed on the doorstep of two unidentified companies. The malicious apps weren't part of the official ROM firmware supplied by phone manufacturers but were added later, somewhere along the supply chain.

Researchers say that in six of the cases, malware was present installed to the ROM using system privileges. All these devices had to go through a complete install of the firmware in order for the malware to be removed.

While details were not given about the full extent of the attack, it seems that most malicious apps were trying to steal people's information, while also trying to get them to tap on various ads.

"Loki" malware was found on the devices, a malicious program looking to gain system privileges, while ransomware "Slocker" was discovered on others, using the Tor network to hide the identity of the operators.

A wide range of attacked devices
As mentioned, there were 38 devices affected, and while they all operate with Android, they're not the same. The infected devices list includes Galaxy Note 2, LG G4, Galaxy S7, Galaxy Note 4, Galaxy Note 5, Galaxy Note 8, Galaxy A5, Xiaomi Mi 4i, ZTE x500, Galaxy Note 3, Galaxy Note Edge, Galaxy Tab S2, Galaxy Tab 2, Oppo N3, Asus Zenfone 2, viva X6 plus, Lenovo S90, Oppo R7 plus, Xiaomi Redmi and Lenovo A850.

Read more: Preinstalled Malware Found on 38 Android Devices Delivered to Two Companies

 

[larry goes to church]

This is a good point to bring up.

As our phones carry ALL of our personal data it may be repentant to wipe the phone clean and load a clean ROM onto the device.
Oddly enough i was literally having a conversation about this exact topic days ago with a colleague of mine.

 

[Tinm]

A compromised phone is much more dangerous than a compromised PC.