Uber removing private iOS API that allowed them to record your display

Uber’s head of security communications has today announced that the company is removing access from its iOS app that may have allowed the company to record a user’s display unknowingly. Security researchers had noticed that Uber was given access to these private APIs by Apple, an unprecedented move from the security focused company.

Author Ad Placeholder
Will only appear on redesign env.

Within iOS, application developers use entitlements to gain access to different APIs. For example, usage of iCloud and Apple Pay APIs require specific entitlements within an application.

The idea behind using entitlements is that iOS applications only have access to what they absolutely need. As Apple puts it, “By carefully enabling only the resource access that you need, you minimize the potential for damage if malicious code successfully exploits your app.”

This is where Uber’s iOS app raised a few eyebrows. APIs, and as a result entitlements, are separated into public and private usage. Private APIs may not be used in apps that are submitted to the App Store. Uber’s API that could technically allow them to record a device’s display was locked away behind a private entitlement.

Melanie Ensign, Security and Privacy communications at Uber, told Will Strafach on Twitter that the entitlement would be removed. According to Ensign, the API was used back when watchOS apps couldn’t handle map rendering. From a technical perspective, the APIs may have allowed Uber to capture what was seen on the iOS app’s display and then push it to the watchOS app.

Strafach asked Ensign how Uber was granted access to this entitlement in the first place. Being a private entitlement, no applications should have this access. In his own researched dataset, he discovered only Uber and Apple’s own apps had this private access. Strafach mentioned that Apple had to have granted this entitlement to Uber.

Being granted this level of access is especially interesting in light of Apple and Uber’s history. Earlier this year, it was reported that Tim Cook had threatened to pull Uber from the App Store over allegations of tracking users.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel