Uber’s willingness to openly disregard Apple’s App Store guidelines almost prompted Tim Cook to kick the popular ridesharing app off the App Store altogether, according to a new report from The New York Times. In a fascinating profile of Uber CEO Travis Kalanick, a controversial figure to say the least, we learn that Kalanick in late 2014 instructed his software engineers to develop a way for the company to identify specific iPhones even when individuals deleted the Uber app from their devices.
When Apple got wind of what was going on in 2015, Tim Cook — who has long been an outspoken proponent of user privacy — took the issue incredibly seriously.
For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple’s engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple’s privacy guidelines.
But Apple was on to the deception, and when Mr. Kalanick arrived at the midafternoon meeting sporting his favorite pair of bright red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve heard you’ve been breaking some of our rules,” Mr. Cook said in his calm, Southern tone. Stop the trickery, Mr. Cook then demanded, or Uber’s app would be kicked out of Apple’s App Store.
According to the report, Kalanick’s meeting with Cook left him “shaken.”
Uber’s app was never removed from the App Store but this wouldn’t be the last time that Uber’s tracking activities would make headlines.
Incidentally, Uber has since responded to the New York Times story regarding user tracking via a statement provided to Engadget.
We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.
As the Times explains in detail, the Uber app installed a piece of code capable of identifying a particular iPhone as means to help detect when a device was likely stolen and its contents erased. That may sound reasonable enough, but it runs afoul of Apple’s App Store rules, which is to say that when a device is wiped clean, Apple wants there to be no data capable of linking a device back to a previous owner.
Consequently, Uber engineers, at the direction of Kalanick, came up with a clever way to surreptitiously install the code.
So Mr. Kalanick told his engineers to “geofence” Apple’s headquarters in Cupertino, Calif., a way to digitally identify people reviewing Uber’s software in a specific location. Uber would then obfuscate its code from people within that geofenced area, essentially drawing a digital lasso around those it wanted to keep in the dark. Apple employees at its headquarters were unable to see Uber’s fingerprinting.
The ruse did not last. Apple engineers outside of Cupertino caught on to Uber’s methods, prompting Mr. Cook to call Mr. Kalanick to his office.
Uber’s underlying objective here may have been reasonable, but clearly, the actions it took to achieve its objective were unquestionably deceitful. Indeed, the thrust of the entire Times profile on Kalanick paints a portrait of a man obsessed with winning at all costs and all too willing to make contemptible decisions to bolster the company.
The Times profile of Kalanick certainly doesn’t come at a good time for Uber. Recently, the company has garnered widespread media attention for all the wrong reasons, including a viral video featuring Kalanick getting into an argument with an Uber driver over employee-pay. The video generated an avalanche of criticism and even prompted Kalanick to write an apologetic letter stating that he needs “leadership help” and that he plans on getting it.
As a final point, mobile security expert Will Strafach took a look at an old build of Uber’s iOS app and found the “shenanigans” involving Uber’s private API calls.