Fwd: [Cryptography] Uber "Greyball"-ed city authorities w/fake screens

5 Mar 2017

      ---------- Forwarded message ----------
From: Henry Baker 
Date: Fri, Mar 3, 2017 at 6:53 PM
Subject: [Cryptography] Uber "Greyball"-ed city authorities w/fake screens
To: cryptography@metzdowd.com

FYI --

https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-au...

'To build a case against the company, officers ... posed as riders,
opening the Uber app'

'Uber had tagged [the officer] ... based on data collected from
[his/her] app ... The company then served up a fake version of the app
populated with ghost cars'

'When Uber moved into a new city, [an Uber employee] ... would try to
spot enforcement officers.  One technique involved drawing a digital
perimeter, or "geofence," around the government offices ... people
were frequently opening and closing the app ... near such locations as
evidence that [they] might be associated with city agencies.  Other
techniques included ... credit card information and determining
whether the card was tied directly to an institution like a police
credit union.'

http://www.cultofmac.com/304401/ubers-android-app-literally-malware/

Uber's data-sucking Android app is dangerously close to malware [updated]

By Buster Hein -- 11:22 am, November 26, 2014

Uber has been sideswiped by a ridiculous number of controversies
lately, but things are about to get even worse for the ride-sharing
service.  A security researcher just reverse-engineered the code of
Uber's Android app and made a startling discovery: It's "literally
malware."

Digging into the app's code, GironSec
(http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/)
discovered the Uber app "calls home" and sends data back to Uber.
This isn't typical app data, though.  Uber has access to users' entire
SMSLog even though the app never requests permission.  It also
accesses call history, Wi-Fi connections used, GPS locations and every
type of device ID possible.

The app even checks your neighbor's Wi-Fi and retrieves info on the
router's capabilities, frequency and SSID.  News of the app's
vulnerability was first posted on Hacker News with the charming intro,
"TLDR: Uber's Android app is literally malware."
(https://news.ycombinator.com/item?id=8660336)  One developer
commenting on the revelation said there isn't "any reason for Google
not to immediately remove this app from the store permanently and ban
whatever developer uploaded it.  There should probably be legal
action."

Here's the full list of all the data Uber is collecting through its
Android app (we're checking to see if the iOS version works the same
way):

-- Accounts log (Email)
-- App Activity (Name, PackageName, Process Number of activity, Processed id)
-- App Data Usage (Cache size, code size, data size, name, package name)
-- App Install (installed at, name, package name, unknown sources
enabled, version code, version name)
-- Battery (health, level, plugged, present, scale, status,
technology, temperature, voltage)
-- Device Info (board, brand, build version, cell number, device,
device type, display, fingerprint, IP, MAC address, manufacturer,
model, OS platform, product, SDK code, total disk space, unknown
sources enabled)
-- GPS (accuracy, altitude, latitude, longitude, provider, speed)
-- MMS (from number, MMS at, MMS type, service number, to number)
-- NetData (bytes received, bytes sent, connection type, interface type)
-- PhoneCall (call duration, called at, from number, phone call type, to number)
-- SMS (from number, service number, SMS at, SMS type, to number)
-- TelephonyInfo (cell tower ID, cell tower latitude, cell tower
longitude, IMEI, ISO country code, local area code, MEID, mobile
country code, mobile network code, network name, network type, phone
type, SIM serial number, SIM state, subscriber ID)
-- WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
-- WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
-- Root Check (root status code, root status reason code, root
version, sig file version)
-- Malware Info (algorithm confidence, app list, found malware,
malware SDK version, package list, reason code, service list, sigfile
version)

Uber might have a legitimate reason to use most of this info in the
app, perhaps for fraud detection or an intelligence-gathering tool.
The problem is that the information is being sent and collected by
Uber's servers without users' knowledge or permission.

Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week
demanding the company account to the public for its data gathering.
The letter came as a response to a recent controversy where an Uber
executive threatened to spy on and blackmail journalists who wrote
unfavorable articles about the company.  Uber's "God View" tool, which
gives company insiders unlimited access to riders' data, has also been
a cause of concern in recent weeks.

Cult of Mac asked Uber for comment on the collection and transmission
of the data its Android and iOS apps are performing, but haven't
received a response.

Update: Uber has provided some clarification to the company's data
gathering, noting that the blanket access is actually a requirement
from Google, which forces Android developers to ask for privacy
permissions up front.

Uber spokeswoman Lara Sasken released the following statement to Cult of Mac:

"Access to permissions including Wifi networks and camera are included
so that users can experience full functionality of the Uber app.  This
is not unique to Uber, and downloading the Uber app is of course
optional."

Recode notes that Uber-competitor Lyft requests access to the same
data on Android.  Unlike iOS and Windows, Android developers are
encouraged to request access to more user data than their apps
actually need.  The Uber app on Android exposes some the mobile
operating system's weakness in privacy compared to iOS and Windows,
both of which allow users to refuse access to data on an case-by-case
basis.

Additional information on Android permissions can be found on Uber's
site here (https://m.uber.com/android-permissions), but not every
feature is explained.
-----

This article about the Ubar app as malware is several years old, but
today's NYTimes article "How Uber Used Secret Greyball Tool to Deceive
Authorities Worldwide" explains for the first time one of the real
reasons for Uber's prurient interest in its users' data.

Now that we know these reasons for Uber's spying, it becomes clear
what information collected by Uber's app could be used to track
authorities who are trying to catch Uber drivers in illegal
activities.  Uber's bloated app size (215MBytes on iOS -- probably
required for all the fake screens, ghost cars, etc.) can be seen as an
all-out assault on every one of its user's privacy.

This NYTimes article also explains why Uber wants so desperately to
spy on its users *all* the time
(http://www.theverge.com/2016/11/30/13763714/uber-location-data-tracking-app-...
-- "Uber wants to track your location even when you're not using the
app") -- not just when these users are utilizing Uber cars!

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

grarpamp

tags

participants (1)