How Uber Violated Apple Policy (and Our Trust)

Uber Office Dice

Uber offices in San Francisco.

As detailed in a recent profile in The New York Times, Apple CEO Tim Cook once took Uber CEO Travis Kalanick to task over the Uber app’s ability to track users via sketchy means. Now we know how his company might have done it.

It all revolves around IOKit, a private framework that allows access to a device’s hardware and software capabilities. It’s essentially the iOS equivalent of root access (without jailbreaking). It’s also not something that Apple, valuing user privacy, condones; the company wants apps operating in a sandboxed environment.

This is where geofencing comes into play. Uber set up a geofence around Apple headquarters in Cupertino, California so the latter wouldn’t be able to tell that the Uber app was making private API calls – because in Cupertino, it wasn’t. That’s essentially how the app, despite accessing explicitly prohibited private APIs, passed app review and made its way onto your phone. (It’s something Apple would easily have caught otherwise.)

In a Tweet, security researcher Will Strafach revealed that a 2014 version of the Uber app was using IOKit to “access registry entries.” In his software teardown, we also see entries such as “IORegistryGetRootEntry” and “serial_number,” hammering home that it was pulling identifiable device metadata. It’s important to note Uber wasn’t “tracking” users per se; nor was it able to monitor users who deleted the app at any point.

This Apple controversy dovetails with Uber’s purchase of data from unroll.me, an email service that bills itself as a means to tidy up your inbox by turning not-quite-spam-but-still-not-necessary emails into a daily newsletter. Uber was buying anonymized data concerning rival Lyft’s communications with users, which the Times says Uber used as a barometer of Lyft’s corporate health.

Using IOKit essentially breaks every Apple rule concerning development, which has some upset over Cook’s treatment of Uber. Other developers have suffered far worse punishments for less offensive behavior. Uber’s ‘loophole’ doesn’t work on iOS 10 (Strafach believes it was patched in iOS 8 or 9), so it’s not something anyone can reproduce, but the underlying idea is still troubling. At its worst, Uber was taking drastic means to track phones that had the Uber app installed at some point. At best, it’s a really aggressive and stupid way to find how many users you really have and conduct reconnaissance on the competition.

Buying anonymized data isn’t breaking rules, unless you count good faith as a rule. If so, Uber and unroll.me’s parent company, Slice, are guilty. And maybe Apple, too, for allowing an app that violated its rules to continue its existence in the App Store.

Comments

One Response to “How Uber Violated Apple Policy (and Our Trust)”

May 26, 2017 at 9:41 am, Andrew Fedder said:

I would have been happy to read the article about Uber and Apple, but when I opened the article on my phone I saw the light grey text on the white background was barely readable. This could have been a brilliant article comma but I’ll never know because I had such problems seeing the text that reading this would have given me a headache period even typing this comet on your article is difficult. In the future do some research about color schemes and contrast if you’re interested in people reading your articles.

Reply

Post a Comment

Your email address will not be published.