The iPhone app for ride-sharing company Uber has been allowed by Apple to access and record users screens, opening a door that would allow it to effectively spy on users.
Uber has said the functionality had a benign purpose and is no longer in use.
The functionality, however, could also be used to capture the user’s screen at any time, even when the app runs in the background.
“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” Luca Todesco, a researcher and iPhone jailbreaker, told Gizmodo. “It can potentially steal passwords etc.”
Such functionalities, normally not available to app developers, are called entitlements.
This one, however, seems special.
The code responsible for this functionality was discovered by security researcher Will Strafach, CEO of Sudo Security Group. He said he wasn’t able to find the same functionality granted by Apple to any other app.
At the March 2015 keynote about the watch, Kevin Lynch, Apple’s vice president of technology, showcased the Uber app, including its ability to show the driver’s location on a map.
Uber stated the entitlement was only used in the 8.2 version of the Uber app and remains dormant in the newer versions since the newer versions of the Apple Watch can process the maps on their own.
Melanie Ensign, Uber spokesperson for security and privacy, told Strafach in a tweet that the entitlement is being removed from the app.