press_release_icon

Press Release Archive

Thursday | March 9, 2017

Appthority’s Enterprise Mobile Threat Research Reveals Alarming Security Gaps in Popular Ride-Sharing App

Today, Appthority, the global leader in enterprise mobile threat protection, published research that revealed Uber’s ride-sharing app is putting sensitive personal and corporate data at risk. Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.

Among the most alarming findings in Appthority’s research is the fact that Uber has increased the number of services running in the background of its Android app from none in early 2015 to 26 as of its latest release in March 2017. In addition, there are now more than 600 third-party apps and services integrating with Uber’s Application Programming Interfaces (APIs). These trends raise security and privacy concerns, as these services may be accessing data that is being collected even when the app is not in use and they may not be following Uber’s privacy policy or handling the data securely.

“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead Research Scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”

With the introduction of Uber for Business, organizations should be especially wary of the app. Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed.  In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.

Researchers on the company’s Mobile Threat Team used the Appthority Mobile Threat Protection solution to analyze the Uber app and 633 third-party apps that are integrated with Uber for the enriched in-app experience. They assessed app behaviors and compared the risky behaviors in the 2015 and 2016 Uber app versions to observe changes over time.

Additional findings from Appthority’s Enterprise Mobile Threat Research show that:

  • As Uber expands its integration with other apps, it has access to more user information, which could be confidential or private.
  • 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers.
  • 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber.
  • The newer versions of Uber apps do not enforce HTTPS connections and started sending data unencrypted.
  • Uber’s privacy policies are incomplete, and therefore mislead enterprises who rely on privacy policies to evaluate app risk.

The full enterprise mobile threat research report, entitled ‘Uber: Security Risks Come Along with Your Ride’ can be downloaded here.

About Appthority Mobile Threat Research

Appthority’s Mobile Threat Team (MTT) monitors and investigates mobile risks that pose a direct threat to mobile enterprises. Their goal is to provide research that educates and informs enterprises looking to protect their people, data, devices, apps, and networks from mobile risks. The MTT is comprised of top mobile security researchers and threat analytics managers who use their experience and expertise to develop best-in-class research insights. The team prides itself on delivering unique, accurate and practical perspectives that help our enterprise audience understand mobile risks and focus on the most impactful threats.

About Appthority

Appthority is a pioneer in enterprise mobile security and the leader in the Mobile Threat Defense category. The comprehensive Appthority Mobile Threat Protection (MTP) solution helps customers keep their data private and secure from mobile device, app and network threats. More Fortune 1000 companies trust Appthority to secure their enterprises from mobile threats because Appthority delivers best-in-class mobile threat protection and unparalleled enterprise visibility and control of mobile risks. With Appthority, security teams are informed, employees are productive and enterprise data is kept private and secure. Learn more at www.appthority.com.