Uber's Android app is acting like malware, reporting personal data back to the company that it doesn't have permissions for
Taxi-busting ride share app Uber might have an operating model that suits customers better than traditional, regulated taxi services – but the company's aggressively disruptive (and frequently illegal) business practices don't seem to stop at harming the taxi industry.
Its vicious attacks on competitors have included ordering and cancelling more than five and a half thousand rides through its chief competitor Lyft. Its senior Vice President of Business, Emil Michael, casually mentioned at a dinner that maybe Uber could start digging up personal dirt on journalists critical of the company.
These kinds of stories, of course, should be taken with a grain of salt – they're certainly very beneficial to competing services like Lyft.
But there doesn't seem to be a lot of grey area in these latest revelations that Uber is collecting a stack of personal data from users who have its Android app installed, including SMS data that its permissions list doesn't allow.
Security researcher GironSec decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber:
- Accounts log (Email)
- App Activity (Name, PackageName, Process Number of activity, Processed id)
- App Data Usage (Cache size, code size, data size, name, package name)
- App Install (installed at, name, package name, unknown sources enabled, version code, version name)
- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
- GPS (accuracy, altitude, latitude, longitude, provider, speed)
- MMS (from number, mms at, mmss type, service number, to number)
- NetData (bytes received, bytes sent, connection type, interface type)
- PhoneCall (call duration, called at, from number, phone call type, to number)
- SMS (from number, service number, sms at, sms type, to number)
- TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
- WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
- WifiNeighbors (bssid, capabilities, frequency, level, ssid)
- Root Check (root staus code, root status reason code, root version, sig file version)
- Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)
It's not yet clear whether the iPhone app does the same level of reporting on its users. As for whether Google will move to pull the Uber app from the Play store, that seems unlikely given that Google's US$258 million dollar stake in Uber represents the biggest deal Google Ventures has ever done.
This is the new world we're living in, folks, and if you think Uber's the only one building fat files out of your personal information, you're mad
Source
http://www.gizmag.com/uber-app-malware-android/34962/
Comments
Post a Comment