New research finds worrisome security issues for anyone who uses the Uber app.
Late last year, Uber launched a major update to its app. One surprising new feature: the ability to track users even when they’re not using the app. Uber claims that the feature is essential to providing a better ride-sharing experience. Maybe so. But excessive location tracking and data sharing potentially comes with a number of unwanted accompaniments, like spear phishing and watering hole attacks and physical security exposure.
In fact, the latest research from Appthority shows that Uber’s new third-party ecosystem enables information sharing with hundreds of other apps – Appthority found over 600 in our database of apps used in enterprises. For instance, Uber is integrating with the Relatient and Medstar apps, which remind users of their doctor appointments and offer a ride there. Uber is also integrating with native calendar apps on your smartphone, giving it access to your meeting schedules and timetables.
Why is this app integration so troubling? Because it opens the door for widespread privacy breaches. For example, location data could reveal that a C-level executive at a large company is visiting a cancer clinic, which could affect the stock price of his or her company if the info were to be leaked. It also has the ability to track other employees – salespeople, developers, etc. – whose location could signal some activities that they don’t want revealed for business reasons.
Employee location becomes even more valuable when other contextual data is added. For example, if users agree to the permission requests, Uber can access not only the location of a meeting, but also the meeting agenda (by accessing calendar) and the meeting attendees and their contact information (by accessing addressbook).
Uber now has access to large volumes of sensitive personal and business information. And while all this additional data sharing might add convenience, it also increases the risk that more of your private data will be shared with unintended or unknown parties, or that sharing will be done without sufficient security protections, like encryption.
The real problem here is that third-party apps may be getting more information than they need and many do not follow Uber’s terms of use. For example, many do not use encryption and that can mean exposing private information. In fact, a new Appthority study found that the vast majority of the 633 third-party apps in enterprise environments that use Uber APIs are transmitting specific information by means that are unencrypted and insecure.
For example, we believe that two tag-along apps—Ride Rates for Uber and Lyft and Fare Check – Instant Uber Price and Arrival Estimates—are supposed to access the Uber API only to check estimated prices and arrival times. However, our analysis showed that these apps are also accessing the history of users’ trips. Uber requires these apps to have publicly available privacy policies by forcing them to submit a URL to these policies during the setup. However, we were unable to find the privacy policies by searching the two apps and the websites of their developers. This means that users who rely on these apps have no idea what data they are sharing, and what these apps will do with that data.
Uber’s business decision to integrate with other apps increases the risk of data leakage and exposure of vital corporate information. For these reasons, making the Uber app itself secure should be Uber’s first priority and, in the meantime, enterprises should be aware of the risks and may want to limit Uber use in their corporate environment. Further, by opening up their API to partners, Uber also bears responsibility to work with their hundreds of partner apps to ensure they too protect and secure the user data they have access too.
Enterprises should take the following actions to address the potential security risks associated with Uber:
- For enterprises that deem any of the aforementioned risks unacceptable, the Uber app can be blacklisted by their enterprise mobility-management solution.
- If the enterprise security team choose not to blacklist the Uber app, they can request that employees turn off location services for the app. Uber will still function, the user just has to type in the pickup address. Users may choose to do that anyway to avoid post-ride location tracking.
- As a general best practice, enterprises should educate their employees that it’s best to say no to apps when they request access to another app unnecessarily. If access has already been given, the user can revoke that access by going to the user’s settings page at the Uber website.
- Deploying an MTP – Mobile Threat Protection – solution is a great way to automate employee mobile risk education, by providing self-management and self-remediation tools to enable employees to know when it’s safe, and when it’s not, to allow app permissions.
Uber has been making a big play in the enterprise recently with its Uber for Business initiative, which makes it easier for workers to use Uber and expense their rides. Uber’s security practices are, therefore, something that enterprise security departments need to take seriously—before they hit a bump in the road.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.