Uber has said it will remove code from its iPhone app that security researchers say could let the ride-sharing app record the screen -- even when the app is closed.
Will Strafach, a security researcher, discovered this week that Uber had been granted an undocumented private app permission allowing access to the screen-recording feature. It's one of many "entitlements" that allow developers to tap into features of an iPhone or iPad that are normally off limits to most app developers, unless they have been granted special permission by Apple.
Many screen-recording apps use this entitlement without permission, such as iRec, which run on jailbroken devices.
Strafach said that to his knowledge, based on thousands of app binaries he has indexed, Uber is the only third-party app that was given a private entitlement.
Other iPhone and iPad app developers said the move was unprecedented.
Apple expert and jailbreak author Luca Todesco told ZDNet that it was an "extremely dangerous use case."
Todesco explained that the specific entitlement, known as "com.apple.private.allow-explicit-graphics-priority," allows a developer to read or write to the iPhone's framebuffer, a part of the phone's memory that contains pixel and display data. "Writing is always possible from an app using normal rendering services, which draw to framebuffer on your behalf," he said. "Reading allows you to look at the device's screen."
"It's the equivalent of giving keylogging ability to apps," he said.
He also warned that it adds "a significant weakness" to users of Uber's app, because gaining code execution rights would let an attacker log user's credentials. "It paints a pretty big target on top of the app," he said.
"I find this very frightening and dangerous," he said.
An Uber spokesperson said that the code was used to improve the rendering on its Apple Watch app.
"It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production," said a spokesperson. "This API would allow maps to render on your phone in the background and then be sent to your Apple Watch," they added.
"Subsequent updates to Apple Watch and our app removed this dependency, so we're removing the API completely," said the spokesperson.
It's the latest in a long history of privacy issues and violations centered on Uber and its app.
It's the latest in a long history of similar Uber-related privacy issues, including programs used to track drivers of competing service Lyft, and other secret programs aimed at discovering and frustrating efforts by law enforcement and undercover authorities.
The New York Times reported earlier this year that Apple chief executive Tim Cook threatened to kick Uber out of the Apple App Store after Uber was caught violating its rules by tracking iPhones after the app was deleted.
Strafach said he didn't know how, "even after [Uber] previously abused" the rules, Uber still "convinced Apple to let them have exclusive access to this privileged" entitlement.
"It seems they got special treatment and do not want to directly admit it," he said.
When reached, an Apple spokesperson did not comment.