Uber's Android app caught reporting data back without permission

By Loz Blain

November 26, 2014     http://www.gizmag.com/uber-app-malware-android/34962/

8 Comments

Uber's Android app is acting like malware, reporting personal data back to the company that it doesn't have permissions for

Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

Taxi-busting ride share app Uber might have an operating model that suits customers better than traditional, regulated taxi services – but the company's aggressively disruptive (and frequently illegal) business practices don't seem to stop at harming the taxi industry.

Its vicious attacks on competitors have included ordering and cancelling more than five and a half thousand rides through its chief competitor Lyft. Its senior Vice President of Business, Emil Michael, casually mentioned at a dinner that maybe Uber could start digging up personal dirt on journalistscritical of the company.

These kinds of stories, of course, should be taken with a grain of salt – they're certainly very beneficial to competing services like Lyft.

But there doesn't seem to be a lot of grey area in these latest revelations that Uber is collecting a stack of personal data from users who have its Android app installed, including SMS data that its permissions list doesn't allow.

Security researcher GironSec decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber:

• Accounts log (Email)
• App Activity (Name, PackageName, Process Number of activity, Processed id)
• App Data Usage (Cache size, code size, data size, name, package name)
• App Install (installed at, name, package name, unknown sources enabled, version code, version name)
• Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
• Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
• GPS (accuracy, altitude, latitude, longitude, provider, speed)
• MMS (from number, mms at, mmss type, service number, to number)
• NetData (bytes received, bytes sent, connection type, interface type)
• PhoneCall (call duration, called at, from number, phone call type, to number)
• SMS (from number, service number, sms at, sms type, to number)
• TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
• WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
• WifiNeighbors (bssid, capabilities, frequency, level, ssid)
• Root Check (root staus code, root status reason code, root version, sig file version)
• Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)

While some people are suggesting it might be an anti-fraud measure to help Uber detect and combat fake accounts set up by its competitors, the fact remains – collecting data without appropriate permission constitutes malware and compromises users' personal data.

It's not yet clear whether the iPhone app does the same level of reporting on its users. As for whether Google will move to pull the Uber app from the Play store, that seems unlikely given that Google's US$258 million dollar stake in Uber represents the biggest deal Google Ventures has ever done.

This is the new world we're living in, folks, and if you think Uber's the only one building fat files out of your personal information, you're mad.

Share
COMMENTS   

Uber's Android app caught reporting data back without permission

By Loz Blain

November 26, 2014

8 Comments

Uber's Android app is acting like malware, reporting personal data back to the company that it doesn't have permissions for

Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

Taxi-busting ride share app Uber might have an operating model that suits customers better than traditional, regulated taxi services – but the company's aggressively disruptive (and frequently illegal) business practices don't seem to stop at harming the taxi industry.

Its vicious attacks on competitors have included ordering and cancelling more than five and a half thousand rides through its chief competitor Lyft. Its senior Vice President of Business, Emil Michael, casually mentioned at a dinner that maybe Uber could start digging up personal dirt on journalistscritical of the company.

These kinds of stories, of course, should be taken with a grain of salt – they're certainly very beneficial to competing services like Lyft.

But there doesn't seem to be a lot of grey area in these latest revelations that Uber is collecting a stack of personal data from users who have its Android app installed, including SMS data that its permissions list doesn't allow.

Security researcher GironSec decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber:

• Accounts log (Email)
• App Activity (Name, PackageName, Process Number of activity, Processed id)
• App Data Usage (Cache size, code size, data size, name, package name)
• App Install (installed at, name, package name, unknown sources enabled, version code, version name)
• Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
• Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
• GPS (accuracy, altitude, latitude, longitude, provider, speed)
• MMS (from number, mms at, mmss type, service number, to number)
• NetData (bytes received, bytes sent, connection type, interface type)
• PhoneCall (call duration, called at, from number, phone call type, to number)
• SMS (from number, service number, sms at, sms type, to number)
• TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
• WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
• WifiNeighbors (bssid, capabilities, frequency, level, ssid)
• Root Check (root staus code, root status reason code, root version, sig file version)
• Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)

While some people are suggesting it might be an anti-fraud measure to help Uber detect and combat fake accounts set up by its competitors, the fact remains – collecting data without appropriate permission constitutes malware and compromises users' personal data.

It's not yet clear whether the iPhone app does the same level of reporting on its users. As for whether Google will move to pull the Uber app from the Play store, that seems unlikely given that Google's US$258 million dollar stake in Uber represents the biggest deal Google Ventures has ever done.

This is the new world we're living in, folks, and if you think Uber's the only one building fat files out of your personal information, you're mad.

Share

42
inShare

 

More from Gizmag

• Nissan's new 400 bhp engine fits in carry-on luggage
• Underwater mask offers five times the view of conventional masks
• Michelin opens first plant dedicated to production of airless tires
• NASA requests comment on airship challenge

More from around the web

• Ford goes zero-emissions with a Pedego electric bikeLA Times
• 10 Unbelievable Cars For 2015 - The Honda Accord Is Our FavoriteCar and Driver
• 15 Things All iPhone 6 Users are Beginning To HateRantLifestyle
• Sorry Fellas: Women Who Broke Hearts By Coming Out As LesbiansBossip

Recommended by

About the Author

Loz has been one of Gizmag's most versatile contributors since 2007. Joining the team as a motorcycle specialist, he has since covered everything from medical and military technology to aeronautics, music gear and historical artefacts. Since 2010 he's branched out into photography, video and audio production, and he remains the only Gizmag contributor willing to put his name to a sex toy review. A singer by night, he's often on the road with his a cappella band Suade.   All articles by Loz Blain

Tags

• » Android
• » Privacy
• » Security

The latest in a long line of blunders... not entirely surprised.

Jason Catterall
27th November, 2014 @ 02:28 am PST

George Orwell only got the year wrong.

Mel Tisdale
27th November, 2014 @ 03:32 am PST

"a company whose core business model is, frankly, illegal in most of its markets as well."

Not Biased at all then...

Maybe it is an issue Android needs to address, by approving clean apps only, like Apple does.

Cédric Blanc
27th November, 2014 @ 03:40 am PST

Loz the blogs analysis might be inaccurate.

Check this article

http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

James_Smith
27th November, 2014 @ 09:03 am PST

"Not Biased at all then..."

Does "biased" mean something different where you're from, Cédric?

Stating a simple fact DOES NOT indicate bias.

Keith Reeder
27th November, 2014 @ 09:04 am PST

That explains why Google invested so much

measterbro
27th November, 2014 @ 11:25 am PST

@ James Smith

I'm sorry, but I don't buy a number of the excuses in the article you quoted, especially #2 and #8. And for many of the others Uber should explicitly ask the user for the information, not leech it secretly from your phone.

Much of the data types stated above seem surplus to actual needs to operate the service.

Wombat56
27th November, 2014 @ 02:15 pm PST

The allegation borders on the criminal that Uber is "Malware" the permissions are fairly typical in line with a Smartphone Ridesharing app and are relevant to it's operations, hardly "Malware" Many other apps have similar permissions and are not at any point considered "malware". It is reasonable to assume that the data collected is used maturely and not for nefarious purposes. Hardly malware!

The legality of Ridesharing organisations vary from nation to nation state to state based on antiquated laws relating to Ridesharing or "Carpooling" before the time of smartphones and tablets.

Why take an app like this and assassinate it so thoroughly? As if anything done by Uber is Malware or Illegal in all honesty - Ridesharing apps as Illegal Malware? That's just weird reporting for Gizmag.

Nemo Aristos
27th November, 2014 @ 06:14 pm PST