Uber is in a dark place right now, having to defend itself against a wide range of allegations as various execs continue to abandon the company. Uber is conducting an internal investigation on sexism and harassment in the workplace, while Google is suing the company for having allegedly conspired to steal critical self-driving technology.
A new report over the weekend revealed that Uber wanted to keep track of iPhone users even after they uninstalled the app, and the company went as far as trying to deceive Apple about its intentions. However, Apple got wind of the feature, which won Uber CEO Travis Kalanick an embarrassing meeting with Tim Cook.
In early 2015, Apple’s CEO threatened to remove the app from the App Store unless Uber abandoned its privacy-infringing practices. And Kalanick swiftly accommodated Apple’s needs. After all, without an iPhone app, Uber’s entire business would be crushed.
In a response to The New York Times report, Uber said it never tracked Uber users who deleted the application. Instead, Uber told TechCrunch that it used a fingerprinting technique to tell fraudulent Uber accounts apart from real ones.
“We absolutely do not track individual users or their location if they’ve deleted the app,” an Uber spokesperson said. “As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone — over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.”
Uber told TechCrunch that it still uses a form of device fingerprinting to detect fraudulent behavior. If an iPhone was associated with fraud in the past, a new sign-up from that device should raise a red flag, the company said.
The practice has been modified to comply with Apple’s demands, Uber noted. But that doesn’t rule out the possibility that a previous version of this fingerprinting technique was used to track users outside of the scope of what would be expected of a mobile app.
Sudo Security Group’s Will Strafach explained that what Uber did was to abuse certain iOS resources to track users between uninstall and reinstall, not after the app was uninstalled.
“They were dynamically loading IOKit.framework (a private framework), then dynamically loading some symbols from it to iterate through the device registry (also very much forbidden),” the security researcher told TechCrunch. “They have code to nab a few things from the registry, but the only persistent identifier they actually use appears to be the device Serial Number. I believe that in iOS 9 and beyond, this is blocked by the iOS sandbox. Just to clarify, this also shows the initial concern of ‘tracking after uninstall’ was bad phrasing. The case here is tracking between uninstall/reinstall, which is still a privacy violation as Apple forbids this kind of tracking (that is why they removed the APIs for getting device UDID).”
