Presser:
Today, Appthority, the global leader in enterprise mobile threat protection, published research that revealed Uber’s ride-sharing app is putting sensitive personal and corporate data at risk. Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.
Among the most alarming findings in Appthority’s research is the fact that Uber has increased the number of services running in the background of its Android app from none in early 2015 to 26 as of its latest release in March 2017. In addition, there are now more than 600 third-party apps and services integrating with Uber’s Application Programming Interfaces (APIs). These trends raise security and privacy concerns, as these services may be accessing data that is being collected even when the app is not in use and they may not be following Uber’s privacy policy or handling the data securely.
“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead Research Scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”
With the introduction of Uber for Business, organizations should be especially wary of the app. Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed. In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.
Researchers on the company’s Mobile Threat Team used the Appthority Mobile Threat Protection solution to analyze the Uber app and 633 third-party apps that are integrated with Uber for the enriched in-app experience. They assessed app behaviors and compared the risky behaviors in the 2015 and 2016 Uber app versions to observe changes over time.
Additional findings from Appthority’s Enterprise Mobile Threat Research show that:
- As Uber expands its integration with other apps, it has access to more user information, which could be confidential or private.
- 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers.
- 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber.
- The newer versions of Uber apps do not enforce HTTPS connections and started sending data unencrypted.
- Uber’s privacy policies are incomplete, and therefore mislead enterprises who rely on privacy policies to evaluate app risk.
The full enterprise mobile threat research report, entitled ‘Uber: Security Risks Come Along with Your Ride’ can be downloaded here.