On March 9, 2017, Appthority published a Mobile Threat Report entitled “Uber: Security Risks Come Along with Your Ride”. This report enumerated a set of mobile risks Appthority researchers identified related to the Uber app and the apps it shares data with via its APIs. Via the media, Uber has denied the presence of these risks and we wanted to take the opportunity to provide some additional information that may clarify our stance and perspectives on risks to the enterprise. We welcome this dialog in order to deepen our common understanding of mobile app trends and enterprise risks
Uber says these findings should have been reported through their bug bounty program. Did Appthority do so?
Appthority researchers found risks at different levels related to Uber. Among our findings, was a security vulnerability which we reported to Uber through their bug bounty program. We did not include it in the report to avoid revealing an active vulnerability that would pose a risk to use of this vulnerability.
We reported the issue on January 12, 2017 but have had no word on if or when Uber will address the vulnerability we pointed out. We have notified Uber of our intent to report on the vulnerability within 90 days and publish our findings.
What we chose to write up in our Mobile Threat Report were issues that pose a risk to enterprises and their mobile users and related to poor practices around data sharing and privacy policies. Much of what was reported in the Mobile Threat Report can already be discovered by Appthority customers through routine use of our Mobile Threat Protection solution and we wanted to make it available to a wider audience.
We shared an early version of the report with Uber via their support email address but they have not responded to us directly, only through the media.
Uber claims the Uber apps and connected apps are not doing anything malicious. Are they?
Our definition of risk is not confined to malicious software, nor do we consider that the only risks are malicious. We also do not consider risk abated if users provide ‘explicit permissions’… because users don’t always understand the implications of such permissions, and at any rate, often grant those permissions without knowing or considering the impact to enterprise security. We agree that Uber is not doing anything malicious and have never stated otherwise in our report or blogs.
But is location tracking and the use of APIs actually risky?
It is Appthority’s view that information about users that is sent anywhere constitutes a non-zero risk, usually, but not always, minor. The risk level increases based on destination reputation and whether end-to-end encryption was appropriately enabled. And we know that location tracking is becoming more and more invasive; we therefore think it’s important to provide insights on apps that are providing location tracking. It was Uber’s expanded use of location tracking that piqued our interest in researching the Uber app.
Uber denies that code in a previous version of its app was used to track the location of users outside of China. Is that true?
Uber added Baidu code to its Android app in May, 2015. The identified source codes include the Baidu SDKs for location service and push notification as well as Baidu payment related codes. The Baidu location service and push notification SDKs were removed in the September, 2016 released version.
Appthority did not find any evidence that the code was used to track users outside of China – which we were clear about with the media – only evidence that the Baidu SDK was present in the Uber app opening up the possibility of obtaining user data. However, because the code is not active in the current version of Uber’s app, it was not referenced in the final Mobile Threat Report. But we did discuss those findings in media briefings, and they were reported, which is why we’re clarifying here.
Why is the inclusion of the Baidu SDK a concern?
A top concern of our enterprise customers is understanding where their data goes, and two destinations we consistently hear as concerns are China and Russia. We flag any activity suggesting the possibility of data leakage to China, Russia, or any other country our customers deem suspicious for any reason (including European customers concerned about data sent to the US). The Baidu push notification SDK has been known to communicate with servers from China even from the devices of U.S. users, which is why we wanted to study this further.
It’s worth pointing out that many users in enterprise environments do not routinely update their apps, so risks in prior versions of apps are likely to remain in enterprise environments for quite some time, possibly years. Therefore, our research typically covers current and prior versions, and we expect risks from prior versions to persist in enterprises for the indefinite future. The fact that Baidu location and push notification SDKs were removed in the September 2016 version of the app, does not mean the location tracking and data leakage threats described above are no longer an enterprise threat.
Uber says it requires partners to use encryption. Do they?
Uber has turned its app into a platform, where the Uber app is at the center of a broad ecosystem. Because this is a novel approach, we wanted to understand it better.
Our researched showed that apps using the Uber API were using unencrypted connections with remote servers. We called this out as a security risk because data sent to Uber’s partners who do not fully employ encryption (even if their Uber APIs are encrypted) is, by our definition, at risk. But even if all connections are encrypted, data at rest might be vulnerable. It’s unfortunate that while half the web is encrypted, mobile encryption levels, especially on iOS, remain shockingly low–and are likely to remain low for some time. And as we’ve pointed out elsewhere, there are two types of organizations: Those who have been hacked, and those that don’t know they’ve been hacked. Or put another way: If the CIA can get hacked, Uber or its partners can get hacked. Therefore, the act of sending any data from an app can add to enterprise risk.
For data that leaves the enterprise, some level of risk is reasonably assumed by our customers. The degree of risk depends upon how sensitive the data is, the level of encryption applied, secure coding practices, and the entities with which the data is shared. We can understand why Uber says the data is encrypted and therefore not risky, but any data sent from the device and shared with partners is at more risk than data not sent. For example, we also found examples of apps that hard-code their server tokens, which could be used by an attacker to request access to the Uber API pretending to be another app approved by Uber.
Do Uber connected apps share data too?
Uber’s ecosystem approach appears to us to be forward-thinking, and possibly a harbinger of things to come from other apps. Many apps that share data do so on-device, with clear permissions being granted that can easily be viewed and modified once granted. In Uber’s case, their data sharing is done on the back end rather than on device–which makes it different than what users might be used to, and it therefore merits explanation of the subtle risk involved.
Aren’t there other apps that are risky but not malicious?
As far as app risk goes, it’s worthwhile to point out that one of the top 2 or 3 apps blacklisted by enterprises worldwide is Facebook. No one has accused Facebook of distributing malicious code. But the sum of the minor risks to privacy and data leakage add up to security concerns in enterprises.
What can we expect from other apps in this regard?
Appthority does mobile threat research such as this on behalf of enterprises, who in may cases have no means to ascertain risk resulting from mobile apps in their environment. Therefore, it is important that we point out, not just malicious threats, but also cumulative and easily corrected sources of data and privacy risk.
If Uber’s ecosystem approach does in fact represent the wave of the future, enterprises will want to understand how it works, what the risks might be, and how to mitigate them. Our report provides recommendations to respond to these risks.
image credit: Uber Press Kit