Uber's Android app discovered to gather and upload tons of data from your phone, "literally malware"
29 replies, posted
[URL="http://www.cultofmac.com/304401/ubers-android-app-literally-malware/"]Uber's data-sucking Android app is dangerously close to malware[/URL]
[QUOTE]Uber has been sideswiped by a ridiculous number of controversies lately, but things are about to get even worse for the ride-sharing service. A security researcher just reverse-engineered the code of Uber's Android app and made a startling discovery: It's "literally malware."
Digging into the app's code, [URL="http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/"]GironSec discovered the Uber app "calls home" and sends private data back to Uber[/URL]. This isn't typical app data, though. Uber is sending back users' entire SMSLog even though the app never requests permission. It also sends call history, Wi-Fi connections used, GPS locations and every type of device ID possible.
The app even checks your neighbor's Wi-Fi and sends back info on the router's capabilities, frequency and SSID.
Here's the full list of all the data Uber is collecting and sending through its Android app (we're checking to see if the iOS version works the same way):
- Accounts log
- App Activity
- App Data Usage
- App Install
- Battery
- Device Info
- GPS
- MMS
- NetData
- PhoneCall
- SMS
- TelephonyInfo
- WifiConnection
- WifiNeighbors
- Root Check
- Malware Info[/QUOTE]
[I]In the interest of not copying the whole article/large chunks of it, I omitted the parenthetical explanations for what specific things each permission does. Click through to the article to see them.[/I]
From GironSec's post:
[QUOTE] I especially liked the 'hasHeartbleedVulnerability()' method. Why do they want to know that? Later exploitation?[/QUOTE]
Uber checks to see if your phone's memory can be attacked.
[URL="http://www.forbes.com/sites/benkepes/2014/11/26/is-this-the-final-straw-ubers-android-application-literally-malware/"]Forbes wrote an article and included Uber's response to their article:[/URL]
[QUOTE]Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional. For additional details on Android permissions, please see: [url]https://m.uber.com/android-permissions[/url].[/QUOTE]
The permissions page doesn't cover even a third of what the app actually does. In other words, Uber's response can be summarized as *wanking motion*
watch as uber cars crashes and burns
Google is going to be so pissed since they have specific permissions that all Android apps are supposed to disclose, and if Uber isn't being open about them AND at the same time somehow deceiving both the Play Store and the Android OS, shit's going to blow up.
[QUOTE=Ruski v2.0;46583240]watch as uber cars crashes and burns[/QUOTE]
[del]Just like most of their previous releases![/del] fuck wrong uber
[QUOTE=wickedplayer494;46583289]Google is going to be so pissed since they have specific permissions that all Android apps are supposed to disclose, and if Uber isn't being open about them AND at the same time somehow deceiving both the Play Store and the Android OS, shit's going to blow up.[/QUOTE]
I always figured that Android permissions were kinda automatically detected
So do we know if it actually calls this and sends them away? Do we know if it even was Uber that wrote this code, or if it's from Android?
[code] public void sendAllLogs(String paramString)
{
String str1 = getInstance().getServerURL();
String str2 = getInstance().getAccountGUID();
if ((!(InAuthUtilities.isConnected())) || (!(getInstance().isInitialized())))
return;
Executors.newSingleThreadExecutor().execute(new Runnable(str1, str2, paramString)
{
public void run()
{
Looper.prepare();
InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
InAuthManager.getInstance().sendAccountsLog(this.val$transID);
InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
InAuthManager.getInstance().sendBatteryLog(this.val$transID);
InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
InAuthManager.getInstance().sendMMSLog(this.val$transID);
InAuthManager.getInstance().sendNetDataLog(this.val$transID);
InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
InAuthManager.getInstance().sendSMSLog(this.val$transID);
InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
}
});
}[/code]
I mean it seems he has a bunch of files, why doesn't he show when the above is executed.
[QUOTE=Swebonny;46583343]So do we know if it actually calls this and sends them away? Do we know if it even was Uber that wrote this code, or if it's from Android?
[code] public void sendAllLogs(String paramString)
{
String str1 = getInstance().getServerURL();
String str2 = getInstance().getAccountGUID();
if ((!(InAuthUtilities.isConnected())) || (!(getInstance().isInitialized())))
return;
Executors.newSingleThreadExecutor().execute(new Runnable(str1, str2, paramString)
{
public void run()
{
Looper.prepare();
InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
InAuthManager.getInstance().sendAccountsLog(this.val$transID);
InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
InAuthManager.getInstance().sendBatteryLog(this.val$transID);
InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
InAuthManager.getInstance().sendMMSLog(this.val$transID);
InAuthManager.getInstance().sendNetDataLog(this.val$transID);
InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
InAuthManager.getInstance().sendSMSLog(this.val$transID);
InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
}
});
}[/code]
I mean it seems he has a bunch of files, why doesn't he show when the above is executed.[/QUOTE]
From the original blog post.
[QUOTE]Like I said before, there’s a lot of data here to go through. Maybe Uber evil. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.
Stay tuned for my next post, its gonna be good.[/QUOTE]
As always, journalism jumps the gun for linkbait headlines. However, he's not finished going through the whole app.
However, there's also the odd reference to Stericson's roottools.
It's possible that this is just debug code left in, and may or may not even be used, but the fact that it's got references to sending tons of things it doesn't ask permission for or have any apparent need to know is concerning.
anyone know of any better cab apps to use instead?
[QUOTE=noh_mercy;46583519]anyone know of any better cab apps to use instead?[/QUOTE]
I've heard good things about Lyft, but it just seems like there's something with cab companies, traditional and non-traditional, that breeds corruption and general shittiness.
fearmongering bullshit
just because a library has a function doesn't mean it's used
snip, saw the problem. Even though some of it could be used for totally legit purposes it's clear that it's totally not.
Why can't we live in a society where we don't try to spy on and murder each other at every corner.
[QUOTE=Elecbullet;46583332]I always figured that Android permissions were kinda automatically detected[/QUOTE]
Nah, you have to manually specify them, but if you don't specify a permission the app shouldn't be able to use the functionality at all. So either Uber isn't harvesting this info, or it's doing it in such a way to work around the restrictions Android puts in place.
[QUOTE=TheDecryptor;46583784]Nah, you have to manually specify them, but if you don't specify a permission the app shouldn't be able to use the functionality at all. So either Uber isn't harvesting this info, or it's doing it in such a way to work around the restrictions Android puts in place.[/QUOTE]
Yeah, that's something I had in mind. Though I have no idea about anything about Android's inner workings, I assumed that "This app needs access to..." was more than just a sticker.
[QUOTE=Elecbullet;46583948]Yeah, that's something I had in mind. Though I have no idea about anything about Android's inner workings, I assumed that "This app needs access to..." was more than just a sticker.[/QUOTE] Yeah, you actually can't even compile the code if you don't have the right permissions IIRC.
[QUOTE=Medevila;46583982]From their site:
[editline]27th November 2014[/editline]
as for detecting root,[/QUOTE]
Assuming this is true, it's still pretty fucking shitty for them to be doing this without informing you and asking permission first.
[QUOTE=Ruski v2.0;46583240]watch as uber cars crashes and burns[/QUOTE]
please no. :(
[sp]Okay, I'll stop doing that.[/sp]
[QUOTE=Swebonny;46583343]So do we know if it actually calls this and sends them away? Do we know if it even was Uber that wrote this code, or if it's from Android?
[code] public void sendAllLogs(String paramString)
{
String str1 = getInstance().getServerURL();
String str2 = getInstance().getAccountGUID();
if ((!(InAuthUtilities.isConnected())) || (!(getInstance().isInitialized())))
return;
Executors.newSingleThreadExecutor().execute(new Runnable(str1, str2, paramString)
{
public void run()
{
Looper.prepare();
InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
InAuthManager.getInstance().sendAccountsLog(this.val$transID);
InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
InAuthManager.getInstance().sendBatteryLog(this.val$transID);
InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
InAuthManager.getInstance().sendMMSLog(this.val$transID);
InAuthManager.getInstance().sendNetDataLog(this.val$transID);
InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
InAuthManager.getInstance().sendSMSLog(this.val$transID);
InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
}
});
}[/code]
I mean it seems he has a bunch of files, why doesn't he show when the above is executed.[/QUOTE]
There's no report of the method being called, and it's supposedly part of an external library that Uber included. It doesn't make it less excusable in my opinion, tho.
[QUOTE=Medevila;46583982]From their site:
[editline]27th November 2014[/editline]
as for detecting root,[/QUOTE]
You can spoof GPS location with one developer option ticked. You don't need root
[QUOTE=Sam Za Nemesis;46585689]Besides android has a call to detect mocked locations[/QUOTE]
Which you can most likely avoid returning a true result if you root.
[editline]28th November 2014[/editline]
It might be time for Uber to split the driver and customer app now.
[QUOTE=BuffaloBill;46585060]Assuming this is true, it's still pretty fucking shitty for them to be doing this without informing you and asking permission first.[/QUOTE]
All Android apps show you what permissions they require when you install them. They do inform you.
you should be able to turn off individual permissions on android apps
[QUOTE=Sam Za Nemesis;46585689]Besides android has a call to detect mocked locations[/QUOTE]
"Android has <x> to prevent <y>" is totally null and void if it's rooted because they could have altered just about anything about the phone, really
Man, they really went downhill after SMNC.
They updated the article saying that Google requires all this stuff. I can't tell if that's real or they're trying to offload their bullshit on Google.
[QUOTE=Elecbullet;46583332]I always figured that Android permissions were kinda automatically detected[/QUOTE]
Yeah afaik the developer needs to specify the permissions they need in an xml file, otherwise they just won't be able to use those functionalities.
he edited his post, but this guy doesn't know shit about anything. he originally said that PUT and DELETE were not valid HTTP requests and somehow has never heard of what a RESTful API is.
sup nerds, I was right
this is the only data uber app sends (sourced from here [url]http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/[/url])
[IMG]http://cdn1.tnwcdn.com/wp-content/blogs.dir/1/files/2014/11/Screen_Shot_2014-11-27_at_4_33_50_pm.png[/IMG]
[IMG]http://cdn1.tnwcdn.com/wp-content/blogs.dir/1/files/2014/11/Screen_Shot_2014-11-27_at_4_47_19_pm.png[/img]
Sorry, you need to Log In to post a reply to this thread.
