Appthority’s Enterprise Mobile Threat Research Reveals Alarming Security Gaps in Popular Ride-Sharing App
Today, Appthority, the global leader in enterprise mobile threat protection, published research that revealed Uber’s ride-sharing app is putting sensitive personal and corporate data at risk. Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.
With the introduction of Uber for Business, organizations should be especially wary of the app. Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed. In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.
Researchers on the company’s Mobile Threat Team used the Appthority Mobile Threat Protection solution to analyze the Uber app and 633 third-party apps that are integrated with Uber for the enriched in-app experience. They assessed app behaviors and compared the risky behaviors in the 2015 and 2016 Uber app versions to observe changes over time.
Additional findings from Appthority’s Enterprise Mobile Threat Research show that:
- As Uber expands its integration with other apps, it has access to more user information, which could be confidential or private.
- 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers.
- 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber.
- The newer versions of Uber apps do not enforce HTTPS connections and started sending data unencrypted.
- Uber’s privacy policies are incomplete, and therefore mislead enterprises who rely on privacy policies to evaluate app risk.
The full enterprise mobile threat research report, entitled ‘Uber: Security Risks Come Along with Your Ride’ can be downloaded here.
About Appthority Mobile Threat Research
Appthority’s Mobile Threat Team (MTT) monitors and investigates mobile risks that pose a direct threat to mobile enterprises. Their goal is to provide research that educates and informs enterprises looking to protect their people, data, devices, apps, and networks from mobile risks. The MTT is comprised of top mobile security researchers and threat analytics managers who use their experience and expertise to develop best-in-class research insights. The team prides itself on delivering unique, accurate and practical perspectives that help our enterprise audience understand mobile risks and focus on the most impactful threats.
Appthority is a pioneer in enterprise mobile security and the leader in the Mobile Threat Defense category. The comprehensive Appthority Mobile Threat Protection (MTP) solution helps customers keep their data private and secure from mobile device, app and network threats. More Fortune 1000 companies trust Appthority to secure their enterprises from mobile threats because Appthority delivers best-in-class mobile threat protection and unparalleled enterprise visibility and control of mobile risks. With Appthority, security teams are informed, employees are productive and enterprise data is kept private and secure. Learn more at www.appthority.com.