BY BUSTER HEIN • 11:22 AM, NOVEMBER 26, 2014
Uber has been sideswiped by a ridiculous number of controversies lately, but things are about to get even worse for the ride-sharing service. A security researcher just reverse-engineered the code of Uber’s Android app and made a startling discovery: It’s “literally malware.”
Digging into the app’s code, GironSec discovered the Uber app “calls home” and sends data backto Uber. This isn’t typical app data, though. Uber has access to users’ entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible.
The app even checks your neighbor’s Wi-Fi and retrieves info on the router’s capabilities, frequency and SSID. News of the app’s vulnerability was first posted on Hacker News with the charming intro, “TLDR: Uber’s Android app is literally malware.” One developer commenting on the revelation said there isn’t “any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action.”
Here’s the full list of all the data Uber is collecting through its Android app (we’re checking to see if the iOS version works the same way):
– Accounts log (Email)
– App Activity (Name, PackageName, Process Number of activity, Processed id)
– App Data Usage (Cache size, code size, data size, name, package name)
– App Install (installed at, name, package name, unknown sources enabled, version code, version name)
– Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
– Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled)
– GPS (accuracy, altitude, latitude, longitude, provider, speed)
– MMS (from number, MMS at, MMS type, service number, to number)
– NetData (bytes received, bytes sent, connection type, interface type)
– PhoneCall (call duration, called at, from number, phone call type, to number)
– SMS (from number, service number, SMS at, SMS type, to number)
– TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID)
– WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
– WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
– Root Check (root status code, root status reason code, root version, sig file version)
– Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version)
Uber might have a legitimate reason to use most of this info in the app, perhaps for fraud detection or an intelligence-gathering tool. The problem is that the information is being sent and collected by Uber’s servers without users’ knowledge or permission.
Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week demanding the company account to the public for its data gathering. The letter came as a response to a recent controversy where an Uber executive threatened to spy on and blackmail journalists who wrote unfavorable articles about the company. Uber’s “God View” tool, which gives company insiders unlimited access to riders’ data, has also been a cause of concern in recent weeks.
Cult of Mac asked Uber for comment on the collection and transmission of the data its Android and iOS apps are performing, but haven’t received a response.
Update: Uber has provided some clarification to the company’s data gathering, noting that the blanket access is actually a requirement from Google, which forces Android developers to ask for privacy permissions up front.
Uber spokeswoman Lara Sasken released the following statement to Cult of Mac:
“Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”
Recode notes that Uber-competitor Lyft requests access to the same data on Android. Unlike iOS and Windows, Android developers are encouraged to request access to more user data than their apps actually need. The Uber app on Android exposes some the mobile operating system’s weakness in privacy compared to iOS and Windows, both of which allow users to refuse access to data on an case-by-case basis.
Additional information on Android permissions can be found on Uber’s site here, but not every feature is explained.