Uber is spying you very badly.

Uber is spying you very badly.

This is one of those interim posts where I’m not posting something cool, but rather something that’s bothering me. You know, like a blog post?

Anyways, I downloaded Uber the other day and its pretty cool and handy. The only qualm I had was with all the permissions it asked for.

You can see the permissions the app wants to use by viewing the “AndroidManifest.xml” file inside the APK. just open the thing with 7zip and view it. Unfortunately doing this will yield garbage data.

droid1

The easiest way I’ve seen is to use a tool like xml-apk-parser.
droid2

Now we can get a clearer picture of what the heck it wants permission to use:

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION">
</uses-permission>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION">
</uses-permission>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE">
</uses-permission>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE">
</uses-permission>
<uses-permission android:name="android.permission.CALL_PHONE">
</uses-permission>
<uses-permission android:name="android.permission.CAMERA">
</uses-permission>
<uses-permission android:name="android.permission.GET_ACCOUNTS">
</uses-permission>
<uses-permission android:name="android.permission.INTERNET">
</uses-permission>
<uses-permission android:name="android.permission.MANAGE_ACCOUNTS">
</uses-permission>
<uses-permission android:name="android.permission.READ_CONTACTS">
</uses-permission>
<uses-permission android:name="android.permission.READ_PHONE_STATE">
</uses-permission>
<uses-permission android:name="android.permission.USE_CREDENTIALS">
</uses-permission>
<uses-permission android:name="android.permission.VIBRATE">
</uses-permission>
<uses-permission android:name="android.permission.WRITE_SETTINGS">
</uses-permission>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE">
</uses-permission>
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES">
</uses-permission>
<permission android:name="com.ubercab.permission.C2D_MESSAGE" android:protectionLevel="0x00000002">
</permission>
<permission android:name="com.ubercab.permission.NOTIFY_ACTION" android:protectionLevel="0x00000002">
</permission>
<uses-permission android:name="com.ubercab.permission.C2D_MESSAGE">
</uses-permission>
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE">
</uses-permission>
<uses-permission android:name="android.permission.WAKE_LOCK">
</uses-permission>

Christ man! Why the hell would it want access to my camera, my phone calls, my wifi neighbors, my accounts, etc? We’ll see in just a second.

public void run()
      {
        Looper.prepare();
        InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
        InAuthManager.getInstance().sendAccountsLog(this.val$transID);
        InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
        InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
        InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
        InAuthManager.getInstance().sendBatteryLog(this.val$transID);
        InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
        InAuthManager.getInstance().sendMMSLog(this.val$transID);
        InAuthManager.getInstance().sendNetDataLog(this.val$transID);
        InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
        InAuthManager.getInstance().sendSMSLog(this.val$transID);
        InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
        InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
      }
    });

Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow uber accedes to my phone calls and sms messages. Bad NSA-Uber.

There’s a lot of code to go over. The thing is about 7.5 MB of classes. In fact, the code I snagged from above comes from about 1100 lines of code. See for yourself. I especially liked the ‘hasHeartbleedVulnerability()’ method. Why do they want to know that? Later exploitation?

Going through the licenses.html file in the apk file, theres a software suite missing.
droid4
See it? Stericson.RootTools

Google helps:

droid3

Why the hell would they need this? I know I keep asking questions, but here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff.

[Correction] They use REST, not webdav. Thanks to everyone who pointed that out. Derp.

Like I said before, there’s a lot of data here to go through. Maybe Uber evil. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.

Stay tuned for my next post, its gonna be good. I know I said that last time, but this is more of a blog post than an actual post.

1405103297032

 

Source

Related posts

Google takes over Times Square with biggest Android advertisement yet

Google takes over Times Square with biggest Android advertisement yet

Google has taken over the largest digital screen in North America. You can see it right now in Times Square. The screen is more than 25,000 square feet in size. It is eight stories tall and takes up the whole length from 45th to 46th Street. Want to see it in action? We go eyes-on with the giant...

The best Android, iOS, and Windows Phone Apps of the Week

The best Android, iOS, and Windows Phone Apps of the Week

This week some of the world's biggest apps just got better. Snapchat introduced an in-app payment system, powered by Square, called Snapcash, and WhatsApp began rolling out the largest implementation of end-to-end encryption ever. Oh yeah, and Facebook released a thing. But amidst all these...

Apple Launches (RED) App Store Promotion, Donating Proceeds to Fight AIDS

Apple Launches (RED) App Store Promotion, Donating Proceeds to Fight AIDS

Update: Apple has confirmed the campaign with an official press release and webpage. The campaign, called Apps for (RED), will feature 25 apps and all proceeds from November 24 to December 7 will go to the Global Fund to fight AIDS. Apps for (RED) is the first global App Store campaign for...

Pushbullet is an awesome app that link your notifications between your laptop and your cellphone

Pushbullet is an awesome app that link your notifications between your laptop and your cellphone

Some of us work a lot on multiple devices, swapping between desktop to tablets to smartphones depending on the nature of our work. We understand that sometimes you want to have access to the same updates, notifications and alerts on all your different devices. If you own an Android...

Real world strategy game « Run An Empire » launches on Kickstarter

Real world strategy game "Run An Empire" launches on Kickstarter

Strategy games like Civilisation, Risk and Clash of Clans lack a real life element, while solitary sports like jogging can seem boring and isolated. Experience design studio PAN, based in Shoreditch, London, wanted to create a game that combines strategic thinking of digital and board games...

Leave a comment