2017 hasn’t been kind to Uber. Up to 200,000 users reportedly quit the ride service recently in the #deleteuber campaign in response to Uber’s CEO Travis Kalanick becoming a Trump advisor. Sexual harassment accusations from a former employee went viral. Questions about how forthcoming the company was in multiple San Francisco red-light running incidents with its self-driving car have emerged. Google filed a major theft of trade secret lawsuit against Uber. A video showing Kalanick berating one of his drivers went viral.
An open letter from investors lamenting toxic patterns in the company was widely reported. Two Uber executives recently resigned, or were forced out. And most recently, reports have emerged that Uber used a program called Greyball to evade authorities in multiple locales. This brutal series of mishaps and disclosures makes Uber seem less like a transportation startup and more like dead unicorn walking.
While schadenfreude rich, all of these issues aren’t what has Appthority interested in Uber. Since our business is mobile security for the enterprise, we’re focused on what Uber is doing with its apps that might impact enterprises and their employees. Specifically, Appthority’s Mobile Threat Team (MTT) decided to research changes in the Uber iOS and Android apps between 2015 and 2016 as well as two new app capabilities. First, Uber says they are now going to track location for 5 minutes before and 5 minutes after a ride. Second, Uber’s “moving experiences” involves leveraging an ecosystem of partners to provide enhanced capabilities–with Uber data being shared across new APIs. While enhancing convenience, have these new capabilities reduced security for enterprises?
We think you’ll find the results of our research very interesting: We found that Uber’s ride-sharing app is potentially putting sensitive personal and corporate data at risk. Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience,” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.
You can download the report titled “Uber: Security Risks Come Along with Your Ride,” here .
At the end of our report, we provide recommendations to enterprises in general and to our customers on how they can further protect themselves in light of our findings. As a sneak preview, we’ve shared the recommendations below.
Recommendations for Enterprises
Based on the findings in our Uber Mobile Threat Report, we recommend enterprises take the following actions to address the potential security risks associated with Uber:
- For enterprises for which the risks described in the report are deemed unacceptable, the Uber app can be blacklisted for all users or only for privileged users or another select group that may be more high risk targets. In this case we would recommend using a different ride-sharing app.
- If the enterprise security team chooses not to blacklist the Uber app, they can educate employees to turn off location services for the app. Uber will still function, the user just has to type in the pickup address. Users may choose to do that anyway to avoid the post-ride location tracking.
- As a general best practice, enterprises should educate their employees that it is best not to give access to apps which request access to another app unnecessarily. If access has already been given, the user can revoke the access by going to the user’s settings page on the Uber website, as follows:
Go to “https://login.uber.com/login”. Under Profile → Connected Accounts, a list of apps connected to their Uber account is shown. Users can simply disconnect them by clicking “Disconnect”.
How Appthority Customers and Their Employees Are Protected
Appthority customers are protected from the risks uncovered in the Uber app and its connected apps. Appthority’s dynamic app analysis and continuous threat monitoring also ensure enterprise customers remain protected even if future versions of the app add risky behaviors that aren’t in the current version.
To easily manage their risk from Uber apps in their environment, Appthority users can use the Appthority admin console to as follows:
- Create an Appthority App Policy that includes the “Access Uber API” behavior for the apps which access Uber APIs. This new ‘Access Uber API’ behavior can be used in conjunction with other Appthority data leakage behaviors (i.e. Sends Address Book, Sends Calendar, Sends Credentials Unencrypted, etc) to identify apps that could be exposing sensitive data via Uber API.
- App versions, that violate the above Appthority App Policy, can be remediated through your automated Appthority-EMM compliance workflow. Appthority’s market leading EMM compliance workflow allows enterprises granular version level app compliance actions across your entire user base or targeted action over certain users/groups (i.e. high profile users).
Know your risks. Download your free copy of Uber: Security Risks Come Along with Your Ride today.
Image credit: Uber blog: https://newsroom.uber.com/driverapp/