Uber’s head of security communications has today
announced that the company is removing access from
its iOS app that may have allowed the company to record a
user’s display unknowingly. Security researchers had
noticed that Uber was given access to these private APIs
by Apple, an unprecedented move from the security
focused company.
Within iOS, application developers use entitlements to gain
access to different APIs. For example, usage of iCloud and
Apple Pay APIs require specific entitlements within an
application.
The idea behind using entitlements is that iOS applications
only have access to what they absolutely need. As
Apple puts it , “By carefully enabling only the resource
access that you need, you minimize the potential for
damage if malicious code successfully exploits your app.”
This is where Uber’s iOS app raised a few eyebrows. APIs,
and as a result entitlements, are separated into public and
private usage. Private APIs may not be used in apps that
are submitted to the App Store. Uber’s API that could
technically allow them to record a device’s display was
locked away behind a private entitlement.
Melanie Ensign, Security and Privacy communications at
Uber, told Will Strafach on Twitter that the entitlement
would be removed. According to Ensign, the API was used
back when watchOS apps couldn’t handle map rendering.
From a technical perspective, the APIs may have allowed
Uber to capture what was seen on the iOS app’s display
and then push it to the watchOS app.
Strafach asked Ensign how Uber was granted access to
this entitlement in the first place. Being a private
entitlement, no applications should have this access. In his
own researched dataset , he discovered only Uber and
Apple’s own apps had this private access. Strafach
mentioned that Apple had to have granted this
entitlement to Uber.
Being granted this level of access is especially interesting
in light of Apple and Uber’s history. Earlier this year, it was
reported that Tim Cook had threatened to pull Uber from
the App Store over allegations of tracking users.

more at http://globaltechgist..co.ke/2017/10/uber-removing-private-ios-api-that.html?m=1