Uber’s Android app is not ‘literally malware’, despite what you may have read
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/
Asingle blog post sparked a strange, worrying headline this week: “Uber’s app is literally malware,” proclaimed a thread on Hacker News.
Despite the blog post itself being oddly inflammatory, a number of media outlets have picked up the story’s claims that Uber may send unnecessary amounts of data back from your phone, like your private SMS’ and images stored on your phone.
Let’s nip this one in the bud: it’s incredibly unlikely that Uber’s app is any kind of malware, and from our investigations, the worries in the original post are unfounded. The majority of the permissions listed in the post that calls the company out for being too broad with permissions are required by Android to do many of the app’s basic functions.
Despite what some are claiming, there’s no evidence that Uber accesses any data on your phone other than that used explicitly for the purpose of getting you a ride, nor does it send any of your SMS’, images or other data off your phone.
There’s no reason for Uber to collect data beyond what it needs; it’s certainly not in the company’s best interest.
As it turns out, Uber even has its own page that explains many of its own install permissions for this very reason. Let’s go over the list of permissions requested by the Uber app upon install, one by one and explain what each one does using the app’s functionality to guide us:
- Location: Uber needs to know where you are so you can get picked up. Surprise!
- Contacts: For splitting fares with friends, inviting friends to use Uber
- Phone: To call your Uber driver or for them to call you
- Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning
- Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location
- Device ID and Call Information: Allows access to your phone number and a unique ID for your device
- Identity: Allows Android users to sign in and pay with one tap (using the Google Sign-In and Google Wallet services)
- Photos/Media/Files: Uber says this is to “save data and cache mapping vectors.”
Remember the Facebook Messenger permissions that scared everyone just a few months ago? Those same scary permissions turned out to be entirely used for legitimate reasons.
Indeed, in a statement to Cult of Mac as an update to its story on the matter, Uber says “Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”
Still worried? Fair enough; I did some digging to verify Uber’s not doing what the blog claimed it might be doing.
I set up my Android phone to have its traffic intercepted by my Mac for around 30 minutes. I monitored from when I downloaded it, to when I logged in and ordered a cab, as well as in the background. It’s not extensive, but it’s enough to see if anything fishy is going on.
Below you can see the most information that I saw Uber ever send off my device (note: this information was fully encrypted and is only readable as I added a certificate to the phone that allowed me to decrypt the data).
Uber sends back information like your location, phone number and email address — which is expected — along with data about your phone like the model number, OS version and serial number of the device. This information being used is incredibly valuable for development teams to help debug their apps when building them and can be found in most apps.
I couldn’t find any instance of Uber sending back any further detailed information than this, certainly not the SMS log or call history.
Perhaps the issue here isn’t apps asking for too many permissions, but instead the way they’re presented to the user. Android users continue to be scared away by permissions on the platform, when in reality they’re simply asking for details they need to perform basic functions.
In the blog post that started all of this, the writer himself notes “Maybe Uber evil [sic]. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.”
For Uber on Android, there’s nothing to worry about. These permissions aren’t worrisome like they’re being made out to be.
cipnrkorvo • 18 hours ago cool good to know! this is a really nice article btw. thanks for the research!
Vedang Jadhav • 17 hours ago I am an Android Developer myself and can see from the posts only, that there are no SMS read and send permission asked for in the Manifest File. These are the permissions required for reading and sending SMS from your phone.1. To Read an SMS
Link : http://developer.android.com/r...Written in the Manifest File as :
<uses-permission android:name="android.permission.READ_SMS"></uses-permission>2. To Send an SMSLink : http://developer.android.com/r...
written in the Manifest File as :<uses-permission android:name="android.permission.SEND_SMS">
</uses-permission>I dont see those permissions in that AndroidManifest.xml file, so this blog is just plain lack of knowledge of how the application is used, as unless it has the permission mentioned in the manifest file, it cannot send or read sms from the smartphone.Good that the author clarified the blog was incorrect, i am just mentioning the technical aspect of the inaccuracy of the blog writer. To add on that, Android does not support adding permissions dynamically, so it cannot add permissions via classes to the application according to my knowledge.
Ghanshyam Singh • 17 hours ago Awesome Information about Ubers App . Thanks for Updates@digitalhubinc
www.digitalhubinc.com
