This post was originally published on December 10, 2014.
Last week, The Hacker News posted an article about the mobile app offered by ride-sharing service Uber — turns out a security researcher from Arizona reverse engineered the Android app to see what kind of data it was collecting, and based on his findings dubbed it “literally malware.” Now, the Web is blowing up with discussion over the app itself, mobile permissions, and what it really means to be malware.
They’re Looking for What?
App permissions are already a bone of contention among users, especially when it comes to Android devices. Google often compels developers to include very broad permission requests for even simple functions, giving the impression that much more data is being accessed than is required. In Uber’s case, a Ycombinator thread found that it could potentially access a host of information, including:
- app activity
- battery life
- device info including manufacturer, model, OS and SDK code
- SMS data
- WiFi Connection data
- Contacts data
- GPS data
- Malware information, such as checks for Heartbleed vulnerabilities
Much of this data makes sense: GPS and WiFi connection data can be used to determine your location when ordering a ride, while contract data lets you split fares or invite friends to use the app. Even device information isn’t totally out of line: Uber says they use this data to assign a unique user ID.
Other information, however, is more troublesome. Why would Uber care about your SMS history, malware information or battery life? That seems a bit intrusive, and if this data really is being sent back to the company, well, it’s not hard to see why some are calling the app “malware”.
Not So Sinister?
But it’s not that simple. The Next Web did some digging, and found that while Uber was sending back all the information it needed to get users a ride, the app wasn’t grabbing SMS or other data for collection. Uber said as much in a statement to Cult of Mac, and also pointed out that other services often require the same kind of permissions.
It’s also worth mentioning that in order to use the Uber app, users must first download it and then agree to the permissions as presented. While the company certainly seems interested in getting its hands on everything that could enhance the “user experience,” it doesn’t look like their aim is to steal personal information — what would be the point? Users would quickly find out about any impropriety and quickly spread the word. As noted by The Next Web, the permissions here may not be the issue: it may be the way they’re presented to users, as if all their data is up for grabs.
Uber isn’t the first app to have its permissions questioned. In the UK, government officials are calling for an inquiry about Facebook’s mobile app and the possibility that it can take pictures or record videos without permission. USA Today, meanwhile, points out that many free apps ask for a host of permissions they don’t need — for example, virtual pet and dictionary apps want access to GPS data and microphones.
So what’s the final verdict? Is Uber’s app “literally malware”? Sort of. While it can potentially access device information that goes well beyond its purview as a ride-sharing app, there’s no evidence of malicious action. Uber has been under fire recently for a host of other issues, so it’s no surprise that their app is under greater scrutiny — what’s really uncovered here isn’t Uber’s big secret, but the fact that Android apps in general ask for much greater reach than they actually need. Some of this is on Google, while some of it comes from app developers themselves.
No matter the source, however, the fact remains that it’s on users to read what they’re agreeing to and then decide if the risk is worth the reward. And this is where the Uber malware construct falls apart: users are giving the app permission to access their device at large. With permission comes tacit approval; if you want privacy, always read carefully before hitting “agree.”