A security researcher just reverse-engineered the code of Uber’s Android app and come to the conclusion that it is malware. GironSec discovered the Uber app “calls home” and sends data back to Uber. But this is not the sort of app data you want sent to a taxi company.
Uber has access to users’ entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible. To make matters worse it even checks your neighbor’s Wi-Fi and retrieves info on the router’s capabilities, frequency and SSID.
One developer commenting on the revelation said there isn’t “any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action.”
Uber collects the following through its Android app: Accounts log, App Activity, App Data Usage, App Install, Battery, Device Info, GPS, MMS, NetData, PhoneCall, SMS, TelephonyInfo including tower ID, tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID. It snuffles WifiConnection, WifiNeighbors, Root Check, and Malware Uber.
All the information is being sent and collected by Uber’s servers without users’ knowledge or permission.
Given that Uber was thinking of spying on and blackmail journalists who wrote unfavourable articles about the company, people are starting to worry about the company’s data gathering powers.
Uber spokeswoman Lara Sasken said that access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.