Uber has announced that it will remove code from its iPhone app that would let the ride-hailing service record screen activity even when the app was closed. The code was discovered by security researcher Will Strafach, who found that Uber had been granted an undocumented private app permission allowing it access to screen-recording.
The screen-recording feature is built into iOS devices but is normally off limits to app developers unless they have been granted special permission by Apple. According to Strafach, who has indexed thousands of apps, Uber is the only third-party app that has been given this permission by Apple.
Third-party screen-recording apps that use this entitlement without permission do exist, but they can only run on 'jailbroken' devices where Apple's normal limits have been removed already.
Speaking to ZDNet, Apple expert and jailbreak author Luca Todesco said that Uber's access to screen-recording was an "extremely dangerous use case" that adds a "significant weakness" to security for iOS Uber users.
"It's the equivalent of giving keylogging ability to apps," said Todesco. "It paints a pretty big target on top of the app. I find this very frightening and dangerous."
An Uber spokesperson said that the code in question was used to improve the app's rendering on the Apple Watch, and that subsequent updates to both Uber's app and the Apple Watch's capabilities meant it was no longer necessary, and so would be removed in an update that was already being pushed into production.
This is not the first time Uber has come under fire for privacy violations related to its app. Earlier this year, The New York Times reported that Tim Cook had threatened to kick Uber off the App Store after it was revealed the company was tracking iPhones even after its app had been deleted from them.
However, this particular breach is unique in that it would have required Apple's permission to access this privileged level of functionality on iOS devices. Apple has so far not commented on the story.