[Cryptography] Uber "Greyball"-ed city authorities w/fake screens

Henry Baker hbaker1 at pipeline.com
Fri Mar 3 18:53:16 EST 2017


FYI --

https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-authorities.html

'To build a case against the company, officers ... posed as riders, opening the Uber app'

'Uber had tagged [the officer] ... based on data collected from [his/her] app ... The company then served up a fake version of the app populated with ghost cars'

'When Uber moved into a new city, [an Uber employee] ... would try to spot enforcement officers.  One technique involved drawing a digital perimeter, or "geofence," around the government offices ... people were frequently opening and closing the app ... near such locations as evidence that [they] might be associated with city agencies.  Other techniques included ... credit card information and determining whether the card was tied directly to an institution like a police credit union.'

http://www.cultofmac.com/304401/ubers-android-app-literally-malware/

Uber's data-sucking Android app is dangerously close to malware [updated]

By Buster Hein -- 11:22 am, November 26, 2014

Uber has been sideswiped by a ridiculous number of controversies lately, but things are about to get even worse for the ride-sharing service.  A security researcher just reverse-engineered the code of Uber's Android app and made a startling discovery: It's "literally malware."

Digging into the app's code, GironSec (http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/) discovered the Uber app "calls home" and sends data back to Uber.  This isn't typical app data, though.  Uber has access to users' entire SMSLog even though the app never requests permission.  It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible.

The app even checks your neighbor's Wi-Fi and retrieves info on the router's capabilities, frequency and SSID.  News of the app's vulnerability was first posted on Hacker News with the charming intro, "TLDR: Uber's Android app is literally malware." (https://news.ycombinator.com/item?id=8660336)  One developer commenting on the revelation said there isn't "any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it.  There should probably be legal action."

Here's the full list of all the data Uber is collecting through its Android app (we're checking to see if the iOS version works the same way):

-- Accounts log (Email)
-- App Activity (Name, PackageName, Process Number of activity, Processed id)
-- App Data Usage (Cache size, code size, data size, name, package name)
-- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
-- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
-- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled)
-- GPS (accuracy, altitude, latitude, longitude, provider, speed)
-- MMS (from number, MMS at, MMS type, service number, to number)
-- NetData (bytes received, bytes sent, connection type, interface type)
-- PhoneCall (call duration, called at, from number, phone call type, to number)
-- SMS (from number, service number, SMS at, SMS type, to number)
-- TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID)
-- WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
-- WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
-- Root Check (root status code, root status reason code, root version, sig file version)
-- Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version)

Uber might have a legitimate reason to use most of this info in the app, perhaps for fraud detection or an intelligence-gathering tool.  The problem is that the information is being sent and collected by Uber's servers without users' knowledge or permission.

Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week demanding the company account to the public for its data gathering.  The letter came as a response to a recent controversy where an Uber executive threatened to spy on and blackmail journalists who wrote unfavorable articles about the company.  Uber's "God View" tool, which gives company insiders unlimited access to riders' data, has also been a cause of concern in recent weeks.

Cult of Mac asked Uber for comment on the collection and transmission of the data its Android and iOS apps are performing, but haven't received a response.

Update: Uber has provided some clarification to the company's data gathering, noting that the blanket access is actually a requirement from Google, which forces Android developers to ask for privacy permissions up front.

Uber spokeswoman Lara Sasken released the following statement to Cult of Mac:

"Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app.  This is not unique to Uber, and downloading the Uber app is of course optional."

Recode notes that Uber-competitor Lyft requests access to the same data on Android.  Unlike iOS and Windows, Android developers are encouraged to request access to more user data than their apps actually need.  The Uber app on Android exposes some the mobile operating system's weakness in privacy compared to iOS and Windows, both of which allow users to refuse access to data on an case-by-case basis.

Additional information on Android permissions can be found on Uber's site here (https://m.uber.com/android-permissions), but not every feature is explained.
-----

This article about the Ubar app as malware is several years old, but today's NYTimes article "How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide" explains for the first time one of the real reasons for Uber's prurient interest in its users' data.

Now that we know these reasons for Uber's spying, it becomes clear what information collected by Uber's app could be used to track authorities who are trying to catch Uber drivers in illegal activities.  Uber's bloated app size (215MBytes on iOS -- probably required for all the fake screens, ghost cars, etc.) can be seen as an all-out assault on every one of its user's privacy.

This NYTimes article also explains why Uber wants so desperately to spy on its users *all* the time (http://www.theverge.com/2016/11/30/13763714/uber-location-data-tracking-app-privacy-ios-android -- "Uber wants to track your location even when you're not using the app") -- not just when these users are utilizing Uber cars!



More information about the cryptography mailing list