Kate Conger, Gizmodo:
To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.
The screen recording capability comes from what’s called an “entitlement” — a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.
The Gizmodo story acknowledges later that this entitlement could have been sandboxed to function only within Uber’s app — though Apple wouldn’t say one way or another — and Uber said that it was only live for a single version of the app to make the Apple Watch app run more smoothly. Even so, given Uber’s outrageous history of violations of privacy and basic decency, it seems quite risky to me for Apple to have granted Uber’s app this entitlement. I’m sure precautions were taken, but I cannot imagine any other developer having this kind of influence, particularly an indie developer or one with such a poor track record.