14 DAY TRIAL // Privacy obsessed Apple had apparently provided Uber with a special private entitlement that allowed the app to record what happened on an iPhone screen, even when the app itself was closed.
Even though this sounds like a serious privacy violation, Uber says that the permission was being used to power one of the features of its app, as it helped “render Uber maps on iPhone and send to Apple Watch before Watch apps could handle it.”
Melanie Ensign, Security and Privacy communications at Uber, said in a tweet that this particular API was not in use and is currently being removed, though it’s bizarre to see it getting pulled only after the whole thing made the headlines.
Discovered by security researcher Will Strafach, the private entitlement to record what’s happening on an iPhone screen with the Uber app is said to be the only one ever granted by Apple, and this is surprising, to say the least, especially because Cupertino at one point planned to ban the Uber app in the App Store due to privacy violations.
Uber: We’re taking care of this
Uber hasn’t discussed the topic too much, but emphasized in a statement that the engineering team is working to have the API pulled completely.
“It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production. This API would allow maps to render on your phone in the background and then be sent to your Apple Watch,” a company spokesperson was quoted as saying.
“Subsequent updates to Apple Watch and our app removed this dependency, so we're removing the API completely.”
As Apple explains in the developer documentation on its website, entitlements can be used by app devs to enable access to only the resources a specific app needs, thus limiting the damage that a malware infection could produce. While devs can set entitlements for features like iCloud access, push notifications, and Apple Pay, certain functionality requires private grants from Apple, as the one received by Uber for recording the screen activity on an iPhone.
At this point, Uber appears to be the only company to have ever received such a permission.