Uber’s data-sucking Android app is dangerously close to malware [updated]


You might want to think twice before giving Uber your data. Photo: Uber

Uber has been sideswiped by a ridiculous number of controversies lately, but things are about to get even worse for the ride-sharing service. A security researcher just reverse-engineered the code of Uber’s Android app and made a startling discovery: It’s “literally malware.”

Digging into the app’s code, GironSec discovered the Uber app “calls home” and sends data back to Uber. This isn’t typical app data, though. Uber has access to users’ entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible.

The app even checks your neighbor’s Wi-Fi and retrieves info on the router’s capabilities, frequency and SSID. News of the app’s vulnerability was first posted on Hacker News with the charming intro, “TLDR: Uber’s Android app is literally malware.” One developer commenting on the revelation said there isn’t “any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action.”

Here’s the full list of all the data Uber is collecting through its Android app (we’re checking to see if the iOS version works the same way):

Accounts log (Email)
App Activity (Name, PackageName, Process Number of activity, Processed id)
App Data Usage (Cache size, code size, data size, name, package name)
App Install (installed at, name, package name, unknown sources enabled, version code, version name)
Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled)
GPS (accuracy, altitude, latitude, longitude, provider, speed)
MMS (from number, MMS at, MMS type, service number, to number)
NetData (bytes received, bytes sent, connection type, interface type)
PhoneCall (call duration, called at, from number, phone call type, to number)
SMS (from number, service number, SMS at, SMS type, to number)
TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID)
WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID)
WifiNeighbors (BSSID, capabilities, frequency, level, SSID)
Root Check (root status code, root status reason code, root version, sig file version)
Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version)

Uber might have a legitimate reason to use most of this info in the app, perhaps for fraud detection or an intelligence-gathering tool. The problem is that the information is being sent and collected by Uber’s servers without users’ knowledge or permission.

Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week demanding the company account to the public for its data gathering. The letter came as a response to a recent controversy where an Uber executive threatened to spy on and blackmail journalists who wrote unfavorable articles about the company. Uber’s “God View” tool, which gives company insiders unlimited access to riders’ data, has also been a cause of concern in recent weeks.

Cult of Mac asked Uber for comment on the collection and transmission of the data its Android and iOS apps are performing, but haven’t received a response.

Update: Uber has provided some clarification to the company’s data gathering, noting that the blanket access is actually a requirement from Google, which forces Android developers to ask for privacy permissions up front.

Uber spokeswoman Lara Sasken released the following statement to Cult of Mac:

“Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”

Recode notes that Uber-competitor Lyft requests access to the same data on Android. Unlike iOS and Windows, Android developers are encouraged to request access to more user data than their apps actually need. The Uber app on Android exposes some the mobile operating system’s weakness in privacy compared to iOS and Windows, both of which allow users to refuse access to data on an case-by-case basis.

Additional information on Android permissions can be found on Uber’s site here, but not every feature is explained.

Source: GironSec

  • Joe M

    Does this only affect the Android app, or the iOS version also?

    • We are checking into this Joe and will update the post when we know.

      • Hi Guys! Please follow me @chi1cabby on Twitter, or at http://www.UberPeople.net if you want to put the UberPhone or the downloadable Android or IOS Driver Apps. Thanx!

    • CoyoteDen

      Android apps are granted the permissions they want if/when you install them. Under iOS you are prompted to allow an app access to the camera, SMS, etc.. the first time the app tries to access it. So if the iOS Uber app hasn’t asked for something, it doesn’t have access to it. You can double check in privacy settings.

      • Windlasher

        So this walled garden people complain about is actually a good thing.

      • DarthDisney

        As computers have more abilities, it really is… so long as we have ultimate control. I think IOS should at the very least allow side loading of apps apple refuses to allow.

      • Windlasher

        I agree, kinda sorta…. I think that Apple thinks (and I agree with what I think they think) is that when people can side load any app they want to their iPhone and all hell breaks loose, who is going to get the blame? Apple will. There will be class action suits from idiots who loaded some app from somewhere who gets their identity stolen and will blame Apple for not protecting them enough just like the idiot who sued them for hearing loss when they were the ones who shoved earbuds in their ears and cranked up the volume.

        I have owned almost every iPhone except the 5s and to be honest, I have never not found an app that didn’t suit my needs. Android allows you to load whatever you want without any oversight and this this UBER crap shows why its not a good idea. People are their own worst enemy, ya know.

        So YES, Apple should let people who want to jailbreak their phones jailbreak them and install whatever they want to install as long as Apple gets to say, you bought an app from an untrusted source so don’t blame us for your issues because of it.

      • Jhabril_Harris

        Or the simple fact that you could pirate apps easily without the need to jailbreak.

      • Windlasher

        yes – that too.

      • art hackett

        Why would devs write apps if they’re going to be stolen? Do you work for nothing, or just steal? How are you supposed to make a living without an income (for your work)?

      • Jhabril_Harris

        That’s exactly my point. Being an app developer, I understand this.

      • Chris BSomething

        Windlasher: but in this case, there’s an iOS uber app too, so the walled garden doesn’t do anything. The better iOS security model does however help.

      • xared

        And allow foolish people to unknowingly install malware and crap? No way, the same people then blame the company for their stupidity. Apple does better.

      • xared

        And theres this thing called jailbreaking. And while it voids your warranty, coz you can pretty much do whatever crap you want after that, it is what anyone uses to load any kind of apps or tweaks on an iPhone. Try it.

      • J!

        Oddly enough, one would assume that letting the user accept and deny permissions on a one-by-one basis would be far more “open” for a user to begin with

      • Richard Liu

        It has nothing to do with openness. How odd to link these two irrelevant things together. Confirming on a one-by-one basis is annoying for users, but much more effective than approve-them-all scheme, when we’re talking about preventing privacy abuse. People tend to ignore a leaf hidden in the woods, but they will be alerted if they’re asked to approve a series of requests in short time.

      • Henry Collins

        I agree. What a strange comparison.

      • JiGGLeBiLLy

        Depends on the user and their needs, and what they want to achieve.

      • Chris BSomething

        This is not a walled garden issue, this is an issue that IOS is better designed.

    • Kr00

      iOS sandbox’s third party apps from the system and wouldnt let them access your messages, at all. People who bitch about Apples walled garden don’t understand the reasons why it’s walled. Hope all you fandroids enjoy your malware.

      • George Mortimer

        Fandroids, lol. You are so clever. Can I be your friendoid?

      • Chris BSomething

        Android is sandboxed too. And whether it is or isn’t sandboxed has nothing whatsoever to do with the walled garden. My Mac is heavily sandboxed these days with recent Mac OSX But no walled garden.

  • Frédéric Briand

    Yeah, ok… that’s enough for me, done with Uber.

    • art hackett

      Yeah, seems weird that they make a great new service, but it turns out that management are a bunch of psychotic douches. The service seems like a cover for illegal activities. WTF?

  • Windlasher

    That is AMAZING – I don’t use Uber so I don’t really care but still. WOW! And people complain about the NSA collecting data.

    • Richard Liu

      People always complain about infringing on privacy, while they keep uploading their whole life onto Facebook.

      • Chris BSomething

        Those are probably not the same people.

      • Which turnout that the same group is who keeps on complaining are pretty happy to share their whole life including their home address and income on the social media. Most even “checkin” and report to the world that they are not home. Banks are also evil, they tracked you where you use your credit card, when and what you bought. What ATM machine you use the card and they are sending/collecting this without your knowledge. Oh, malls also collect your data, when you logged in using their WIFI devices, swiping your card, using your loyalty cards.. list can go on.

      • Henry

        Woah. Holy shit man. Banks can track where you used the card THEY GAVE YOU!? Fucking great revelation dude. *end sarcasm*

      • Great display of iDiot views.

    • art hackett

      They probably contract out to google. Saves a lot of oversight questions and resources if Google and Co. do it for you. Imagine how much location data, for example, they have on you when you’re connected without your knowledge.

  • chapps

    Apple and Google should pull this app from their respective stores immediately. Most of this data should not be collected, and certainly not without the users’ knowledge. Uber has a history of completely unethical behavior – so they deserve no trust.

    • JiGGLeBiLLy

      Welcome to the scarily unethical world of online, preemptive marketing (used to be called “data mining)

  • disqus_pEGNkjttBL

    Let me guess how many other apps do EXACTLY the same thing…

    • Chris BSomething

      Probably not many

  • aardman

    Uber seems to be run by extremely dumb bright people. Surprising how that sentence makes perfect sense.

    • ACMEsalesrep

      They’re called “sociopaths”.

  • William Donelson

    When I try to put this URL into Facebook, it says “Cult of Mac Page not Found”

    • User

      Uber is blocking it!! Haha

  • Techsticles

    This is pretty bad but I don’t use Uber because of their Surge pricing structure.

    Why is the customer paying extra all the time because they don’t have enough cars? I can kind of understand holidays but they have surge pricing quite often.

    • aardman

      “Surge pricing” is the kinder, gentler term that Uber’s dear leaders have chosen to describe pricing behavior that is no different from a hardware store owner doubling the price of plywood when a super hurricane is approaching.

      • Techsticles

        The non kind, non gentle term is price gouging.

        Hey, if the market will pay, I guess why not but I think we all know several Uberites whose multiplication was a bit off one night that have been charged $40 for what is usually a $10 to $15 ride.

        How long can this business model work?

      • Chris BSomething

        It’s not gouging, it’s demand and supply.

      • Techsticles

        That’s the thing. It’s the artificial supply and demand of Uber’s own cars.

        I’m surprised it’s working in New York City where there is a cab on every corner.

        So the question is, how many times will someone come back to Uber after being charged $40 for a $15 ride?

  • DarthDisney

    Uber is going to kill the entire ride sharing industry because of its shitty behavior.

    • Bart Fargo

      Perhaps then people will realize that it isn’t ride “sharing”, rather ride “renting”.

  • “…even though the app never requests permission…” speaks volumes.

  • Michael Cohn

    The laundry list of things that the app pulls sounds like dishonorable fearmongering to me. Cell tower and wifi information are standard for location-aware apps. The app’s data usage and install info are absurdly unobjectionable.

    But if it’s actually able to pull a log of all your SMS text, that’s a tremendous issue.

  • sanfordandsons

    To be honest, I never heard of Uber until the other day when I was in Atlanta. I heard on a webcast I was listening to the legal issues that Uber has with personal data. Why would anyone use Uber? I mean, Google is bad enough with Facebook a close second, security should be on everyone’s agenda.

  • Eric Arrr

    You guys will believe anything, won’t you?

    These suspicious looking calls named “sendSMSLog” and “sendGPSLog” that got the blogger’s blood rushing are in code in a 3rd-party library that the Uber app never even calls.

    Way to be gullible, tech journos!

    • Nick_Germ

      Where did you see that? Is all of the code posted somewhere?

      • kettblack

        Yeah it is. The original blog post is linked in the article and you can read the code there.

        Even ignoring the fact the functions don’t actually make the calls. Eventual construction of SMSLog etc. aren’t core classes. Maybe Uber is evil. But you can’t tell anything definite from that bit of code.

        Read the comments :) It is amusing to see the posts by the panting journos.

        Edit: http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/
        Sorry, the post was on another article

      • Nick_Germ

        Christi and eric, that is not the full code. I looked at that before my original comment. As kettblack stated we have no idea what uber is or isn’t sending from that snippet.
        I did find it weird in their “permissions explained” blog, there is no mention of the sms. They explain why it accesses your phone gps and wifi, but never the messaging.
        Holy data mining batman.
        go check out inAuth’s website (http://www.inauth.com) I just did. After reading their marketing material. I can almost guarantee they are sending your data back home.
        inAuth is a library to check your identity. From their website

        “The InAuth Risk Engine calculates the probability of risk/identity match, as well as scoring for risk and fraud. The Engine uses InAuth MME data, customer data and is open for 3rd party data feeds. The InAuth Risk Engine can score your transaction/identity from a hosted SaaS instance or from behind your firewall. The risk engine provides all the capability you need to automate and streamline fraud management operations.”

        This tells you exactly what the library is used for and how it is used, so yes they are sending your data back to their servers. Also they send your fingerprint data back, but don’t take my word for it go read inAuth’s sales pitch

      • This website who believes instantly to a random guy and claiming he is security expert means this site accepts all rubbish vs Android just to make Apple appear “Robust”. One thing, Android is a *Nix software base. Dynamic Permission granting is not part of Android. If the program never requested access to get a full backup of your SMS, the ability to READ SMS or send SMS, the program cant simply do it on their own.

    • SeanSu

      This is Cult of Mac and showed up on my feed again for some reason even though I unsubbed. They write articles like this all the time. Remember the time they said that Apple uses less ram in their devices to save power (even though it’s the same number of memory modules so they’re looking at maybe 5 minutes more battery life out of 10 hours? Or that faster processors is better than multiple cores by simple addition of Hz? These guys are technology naive and outright write wrong information.

  • 4thbranch

    #1 Lesson: Never attack the media.

  • ChrisChristoff

    To be fair, alot of whats listed is perfectly valid.

    GPS? Needed to show where you are on the map.
    WIFI information? WIFI GPS location is superior to cell phone location on Android. This is the reason you get prompted to turn on WIFI if you have it off and try to use Google Maps.
    Alot of these permissions are explained: https://m.uber.com/android-permissions

    A good portion of the remainder come from the code Uber bundled into their app from their security vendor.

    Lyft by the way, asks for pretty much the same permissions. Its not just Uber.

  • Michael47
  • Ryix I

    Soo… after the update, the whole article is bs? Apparently all android apps are encouraged to access this data and the app doesn’t report all this info home?

    Sounds like a paid for article to bad mouth Uber because the taxi companies are finding it harder and harder to rip people off.

    • Windlasher

      It still BS. Why do they need to know who I called, their number and how long I talked. All the Snowden fans got all up in arms about privacy but THIS is ok. NOT. Sound like your comment is a paid comment to defend UBERcrap.

  • sketharaman

    UBER’s valuation should double very soon…

  • jkane001

    As an Android developer, I’ve never felt “incentivized” to ask for more access permission than my app needs. One person saying that’s so does not make it so.

    Beyond that, asking for access to features of the device is one thing, especially of your app needs it… Sending private data back to your server is a whole other thing, and that should absolutely be stopped, if it’s happening.

    If be in favor of a better permissions model in Android, but until that happens, I’m glad there are developers out there that can police the other apps, and keep them honest!

  • Kheng Hui Yeo

    Being required to request more access or less granular permissions in no way justifies actually taking that data.. not sure what Uber is on about here.

  • creeper

    I got an Android tablet for Christmas last year and have been shocked at how much data on is it shared. Thanks for confirming my impressions.

    • Base on studies, people who are paranoid with privacy keeps on updating their whole life to social media.

  • Robin

    Inaccurate analysis.Check this link the nextweb http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

  • les_madras

    The android security model violates user privacy all the way. If you care, go with an iOS device.

  • azeigler

    This is what happens when you rely on a single source. If you read the source, it’s clear that there is no evidence that Uber phones any of this data home. The source was lazy and didn’t even bother looking at what data was actually sent over the wire — they just looked at the apps ‘manifest’ and made some bad assumptions about what the app does. Nothing to see here…

  • haemaker

    Dowloading the app is optional? Unless you have AT&T, their last update force installed it, and it can’t be removed (it can be disabled however).

  • Chris BSomething

    That uber has these permissions MIGHT not be odd. Today it’s sending it all Home is the disturbing part.

  • Kim Reece

    Please clarify the distinction between which permissions are granted to the app and which data is being sent to Uber. Saying the application was reverse engineered to determine data sent goes far beyond listing what permissions the app had to list in Google market. Many applications require broad permission in order to access some small feature in a limited way. But if it has actually been determined that all of this data is being sent… That’s a big deal and another matter entirely.