Enterprise use of Uber app risks data leaks

Corporate Uber customers should be mindful of the sensitive data that the ride-sharing company's app collects and often shares with third parties insecurely, researchers say.

Security vendor Appthority analysed the Uber app for Google Android and Apple iOS devices, and found that the newest version collects more information than the older one and has dropped the requirement to transmit the data safely with transport layer security (TLS).

While collecting an increasing amount of information expands what the Uber app can do, Appthority pointed out that it also raises the risk of private data being shared with unintended or unknown parties, especially if it is transmitted insecurely.

"The risks associated with corporate data leakage should not be taken lightly. The names of C-level executives and their real-time location data, for instance, are valuable corporate information," Appthority wrote.

"This information can be part of spear phishing, watering hole or social engineering attacks.

"Alternatively, competitive business information, such as potential merger and acquisition activity, can be inferred from the presence of an executives at another company’s location."

For example, leaking that a senior executive is travelling to health appointments such as cancer treatment could affect a company's share price, the security vendor said.

The latest version of the Uber app also now accesses the Calendar app on iOS and the SMS text message archive on Android.

While some of the information accessed by the Uber app is covered in the company's privacy policy, others - like use of Calendar and Camera - are not.

Such an incomplete privacy policy is "not best practice for security and may result in legal disputes because it is misleading," Appthority said.

Appthority noted that Uber has added 26 background services to the app in the newer version compared to none in the previous iteration.

It has also granted application programming interface (API) access to 633 apps for information gathered from its mobile app.

Many of these apps do not adhere to Uber's terms of use and access more information than they should, according to Appthority. Several apps send data insecurely with no encryption, which could lead to leakage of sensitive personal information.

A full 15 third-party apps have server_tokens that are used for authentication hardcoded into them. By extracting the server_token, an attacker could spoof the app in question, and request access to Uber's API to extract data.

"Uber’s business decision to integrate with other apps increases the risks of data leakage and exposure of key corporate information," Appthority said.

"For these reasons, making the Uber app itself secure should be Uber’s first priority and, in the meantime, enterprises should be aware of the risks and may want to limit use of the Uber app in their corporate environments."

Updated, 2.13pm: Uber spokesperson Katie Curran told iTnews that there were three main inaccuracies in Appthority’s report, the first being that the security vendor tested an old version of the app, and not the current one in the App Store.

Furthermore, the app provides location-based services and collection information for that purpose. It is however possible to use the Uber app without turning on location services. Users have to manually type in the addresses into the app in that case.

Appthority also made conclusions based on incomplete information on how data is shared with developers through Uber’s APIs, Curran said.

"We have strict terms of service for developers who use our APIs. Under this policy, we restrict the kind of information that can be shared with API partners and nothing can be shared without the user's explicit permission through their OAuth implementation. 

OAuth is an an open protocol and industry standard used by many companies to allow secure authorization with developers. 

Every app from Facebook to Yelp uses OAuth. However, sensitive Uber location information like pick up or drop off location is never shared. This policy is publicly available," Curran said.

Uber’s terms of service requires any of the company’s data, or that related to developer integration of its API to be encrypted and sent over secure channels like HTTPS. 

“Even if an app requests data from Uber’s API without HTTPS, we automatically redirect them to HTTPS before our server will respond - that way, the information is always encrypted,” Curran added.

Curran said Uber encourages security researchers to submit issues via the company’s bug bounty program, which has paid out almost $1 million in rewards over the past year.