BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

UK And Germany Double Down On Joint AI, Clean Energy R&D Efforts
Decarbonizing Heavy Transportation: Quantron's Michael Perschke On Pioneering Hydrogen Solutions
Bridging The Digital Divide In The AI Era - The UNDP Way
Big Tech Ramps Up Content Moderation Amid EU Pressure
Spain's Successful Miura 1 Launch Reignites Europe's Hopes For Space Exploration
UNESCO And The Netherlands Launch Initiative To Ensure Ethical Oversight Of AI
Edit Story
ForbesTech

Is This The Final Straw? Uber's Android Application--"Literally Malware"

Ben Kepes
Former Contributor
Opinions expressed by Forbes Contributors are their own.
I cover how technology helps business compete.
This article is more than 9 years old.

Update - Uber responded to this article with the following statement:

Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.  For additional details on Android permissions, please see: https://m.uber.com/android-permissions.

I suspect that this statement will do little to mollify concerned Uber customers. In Uber's defense, it would appear that this is as much a problem with Android as it is with Uber. A follow up post on Re/Code details how Android's poor granularity when it comes to security permissions causes issues like this one.

Ride-sharing service Uber has been, at least until the last couple of weeks, the quintessentially example of technology disrupting a traditional enterprise. Take a moribund taxi industry, add a mobile application, cloud-based collaboration and connectivity and integrate with mobile payments and you have a movement that has, literally and figuratively, traditional cab companies shaking in their boots.

I say until the last couple of weeks because Uber hasn't had a good run of it recently - allegations that they are able to access private customer details and worrying claims that they contemplated setting up a fund to dig dirt on tech journalists has not only customers concerned, but has gotten attention from regulators and government officials.

One would have thought that Uber CEO Travis Kalanick would have been able to sign off today for a couple of days of recovery after his hard few weeks, but alas that is not the case. A security researcher has been spending time unpicking Uber's Android mobile application and has discovered an amazing array of user data that Uber is sending back to its servers.

According to the researcher, GironSec, the Uber app automatically "calls home" and sends private data back to the company - without users having expressly granted it permission to do so. The application is allegedly sending back users' call history, Wi-Fi connections used, GPS locations and every type of device ID possible.

Not only individual user data but the Uber app apparently checks neighboring WiFi zones and sends back their router's capabilities, frequencies and IDs. Developers have been going wild on the popular HackerNews message board about the situation with one saying that there isn't:

any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action

The full list of user data that Uber is scraping of customer's devices is staggering and according to Cult of Mac includes:

  • Accounts log (Email)
  • App Activity (Name, PackageName, Process Number of activity, Processed id)
  • App Data Usage (Cache size, code size, data size, name, package name)
  • App Install (installed at, name, package name, unknown sources enabled, version code, version name)
  • Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
  • Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled)
  • GPS (accuracy, altitude, latitude, longitude, provider, speed)
  • MMS (from number, MMS at, MMS type, service number, to number)
  • NetData (bytes received, bytes sent, connection type, interface type)
  • PhoneCall (call duration, called at, from number, phone call type, to number)
  • SMS  (from number, service number, SMS at, SMS type, to number)
  • TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID)
  • WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
  • WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
  • Root Check (root status code, root status reason code, root version, sig file version)
  • Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version)

Since Uber's troubles and unethical actions have begun surfacing, there has been a small but vocal group of people encouraging customers to delete the Uber application from their phones. It would seem that now, beyond simply making a statement, removing Uber from your Android device is actually a well-advised course of action.

Follow me on TwitterCheck out my website
Ben Kepes
Ben Kepes