Think your data is totally protected when you’re using Uber? Think again…
What’s going on?
A new study from enterprise mobile threat protection Appthority finds that if you have a newer version of the Uber app on your phone, it likely doesn’t enforce HTTPS connections and may even send unencrypted data in some cases!
Appthority examined the 2016 versions of the Uber app for Android and iOS and compared them to the 2015 versions.
What they found was a major year-over-year growth in some troubling areas.
For example, the 2016 version of the Uber iOS app can access your calendar and does not enforce HTTPS connections — unlike the 2015 version.
Ditto for the 2016 version of the Uber Android app. Moreover, the 2016 Android app can now access your text message history and has permission to send texts, which the app couldn’t do in 2015.
Why such big changes from 2015 to 2016?
A big part of the problem is that there are now 26 services that run in the background on the app. That’s up from zero background-running services in 2015, by the way!
Newly added service names include: “com.ubercab.client.feature.addressbook. UploadContactsIntentService” and “com.ubercab.android.partner.funnel.onboarding.documents. DocumentsUploadService,” according to Appthority.
In addition, there are now more than 600 third-party apps and services integrating with Uber’s APIs.
Fifteen of those integrated third-party apps can easily leak their secret tokens used for communicating with Uber.
For those who aren’t familiar with tokens, they are used to bypass authentication.
So because 15 third-party apps hard code the server tokens directly in their own apps, the tokens can ‘be leaked to anyone who reverse engineers the app’s source code. The leaked server tokens could be used by an attacker to request access to the Uber API pretending to be another app approved by Uber.’
That means your data could be in anybody’s hands because those third parties may not have adequate security measures in place!
For businesses who use Uber for corporate travel management, Appthority notes that lax app permissions could mean that anyone could see meeting agendas, the names of attendees and attendees’ contact information.
What can you do to protect yourself?
Appthority suggests turning off the app’s location services permission and typing in your pickup location by hand instead when you need a ride. That should prevent the kind of extended location tracking that happens even when your Uber app is not in use.
On a larger scale, you can protect yourself by never giving unnecessary permissions to apps that request access to other apps.
But don’t worry: If you’ve already given permission, it’s not too late to take it back!
Simply go to https://login.uber.com/login. Then look under ‘Profile’ and find ‘Connected Accounts.’ You’ll now see a list of apps connected to your Uber account. Simply click ‘Disconnect’ to get rid of any you don’t want having permission to Uber.
Uber scam: What you need to know to protect yourself
Source: Uber scam: What you need to know to protect yourself by Clark on Rumble