Uber has been recently hit by various controversies, and it looks like the company’s PR team will have one more thing to clean up: its Android application. According to a report from Joe’s Security Blog and a post on Y Combinato’r Hacker News further detailing the matter, the official Uber Android app might be spying on users, collecting various data that it shouldn’t have access to in the first place.
“Christ man! Why the hell would it want access to my camera, my phone calls, my Wi-Fi neighbors, my accounts, etc?” Joe’s Security Blog writes. “Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow Uber accedes to my phone calls and SMS messages. Bad NSA-Uber.”
Furthermore, the Uber app also checks whether your device is rooted, whether it has any malware on, and whether it’s vulnerable to the Heartbleed security bug.
“Why the hell would they need this? I know I keep asking questions, but here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff,” the publication adds.
Hacker News user revelation has actually listed everything the Uber Android app can learn about users, as found below:
- Accounts log (Email)
- App Activity (Name, PackageName, Process Number of activity, Processed id)
- App Data Usage (Cache size, code size, data size, name, package name)
- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
- GPS (accuracy, altitude, latitude, longitude, provider, speed)
- MMS (from number, mms at, mmss type, service number, to number)
- NetData (bytes received, bytes sent, connection type, interface type)
- PhoneCall (call duration, called at, from number, phone call type, to number)
- SMS (from number, service number, sms at, sms type, to number)
- TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
- WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
- WifiNeighbors (bssid, capabilities, frequency, level, ssid)
- Root Check (root staus code, root status reason code, root version, sig file version)
- Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)
UPDATE: Uber has contacted BGR with a comment on the matter. “Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional. For additional details on Android permissions, please see: https://m.uber.com/android-permissions,” a spokesperson for the company said.