Uber's Android app caught reporting data back without permission

Gods View Tool at work, Uber’s Android app caught reporting data back without permission.

Uber’s Android App is reporting your entire personal data including your present location back to the men behind the Uber terminals at base.  Security researcher GironSec has researched the Uber’s Android app apart and discovered that it’s sending a whole lot of personal data back to Uber.  The data which is being reported includes your call logs, the type Apps your smartphone /tablet has installed and your SMS and MMS logs.  The Ubers Gods View Tool also can identify whether your phone is vulnerable to certain malware, whether your phone is rooted and is reporting the same back to base.  All this is being done when Uber doesnt have your explicit permission to do so. 

GironSec has illustrated how Uber is reporting all this user confidential data back to the base.  He has decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber:

Accounts log (Email)
App Activity (Name, PackageName, Process Number of activity, Processed id)
App Data Usage (Cache size, code size, data size, name, package name)
App Install (installed at, name, package name, unknown sources enabled, version code, version name)
Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
GPS (accuracy, altitude, latitude, longitude, provider, speed)
MMS (from number, mms at, mmss type, service number, to number)
NetData (bytes received, bytes sent, connection type, interface type)
PhoneCall (call duration, called at, from number, phone call type, to number)
SMS (from number, service number, sms at, sms type, to number)
TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
WifiNeighbors (bssid, capabilities, frequency, level, ssid)
Root Check (root staus code, root status reason code, root version, sig file version)
Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)

GironSec’s research concludes that it uses following permissions with your permission

<uses-permission android:name=”android.permission.ACCESS_COARSE_LOCATION”>
<uses-permission android:name=”android.permission.ACCESS_FINE_LOCATION”>
<uses-permission android:name=”android.permission.ACCESS_NETWORK_STATE”>
<uses-permission android:name=”android.permission.ACCESS_WIFI_STATE”>
<uses-permission android:name=”android.permission.CALL_PHONE”>
<uses-permission android:name=”android.permission.CAMERA”>
<uses-permission android:name=”android.permission.GET_ACCOUNTS”>
<uses-permission android:name=”android.permission.INTERNET”>
<uses-permission android:name=”android.permission.MANAGE_ACCOUNTS”>
<uses-permission android:name=”android.permission.READ_CONTACTS”>
<uses-permission android:name=”android.permission.READ_PHONE_STATE”>
<uses-permission android:name=”android.permission.USE_CREDENTIALS”>
<uses-permission android:name=”android.permission.VIBRATE”>
<uses-permission android:name=”android.permission.WRITE_SETTINGS”>
<uses-permission android:name=”android.permission.WRITE_EXTERNAL_STORAGE”>
<uses-permission android:name=”com.google.android.providers.gsf.permission.READ_GSERVICES”>
<permission android:name=”com.ubercab.permission.C2D_MESSAGE” android:protectionLevel=”0x00000002″>
<permission android:name=”com.ubercab.permission.NOTIFY_ACTION” android:protectionLevel=”0x00000002″>
<uses-permission android:name=”com.ubercab.permission.C2D_MESSAGE”>
<uses-permission android:name=”com.google.android.c2dm.permission.RECEIVE”>
<uses-permission android:name=”android.permission.WAKE_LOCK”>

From the above you can notice that a taxi provider like Uber is taking the Big Brother talk rather seriously.  It is left to your imagination as to what a taxi hiring service can do with this kind of data. Some mere mortals are suggesting it might be an anti-fraud measure to help Uber detect and combat fake accounts set up by its competitors.  However sanity prevails and the fact remains  that UBER is collecting personal data without your explicit permission which constitutes to infringing your basic right.  In United States the law stipulates that collecting data without appropriate permission constitutes malware and compromises users’ personal data.

Techworm had already reported about Uber being panned for its VPs sadistic comments of it setting aside $1 million to research team to expose the personal lives of media critics and their families. This was supposed to be done with the same tool that Uber is using now, the God’s View Tool.  You can read about the same here. It seems Uber’s Gods View tool is doing much more than hounding journos and anti-uber camp.

GironSec has torn apart the Uber Android App but he has not published much about Uber’s iPhone App.  It remains to be seen whether the Uber iPhone users privacy is also being breached in the same way as Android App.  Given the seriousness of the issue it also remains to be seen whether Google will pull the Uber App down from Google Play citing serious privacy infringement clauses.  Remember, Google has a conflict of interest in Uber’s case as it has a US$258 million dollar stake in Uber.

Gods View Tool eh?


Please enter your comment!
Please enter your name here