Before the end of August, it was confirmed that Uber, the popular ride-hailing service, would be removing a privacy feature that allowed it to continue to track a user’s location for several minutes after a trip had ended.
Now, another behind-the-scenes piece is getting removed. The head of Uber’s security communications, Melanie Ensign, has tweeted out that Uber will be removing access from the Uber app that may have allowed the company to record a user’s screen. Recently, security researchers had noted that Apple had given permission to Uber, by way of private iOS APIs, to access this feature.
Developers are able to use entitlements to gain access to either private or public APIs. This is a way for Apple to determine that an application is only granted access to APIs that the app specifically needs. Basically, a developer needs to gain a certain entitlement to gain access to certain features. So if they want to use Apple Pay, they need to gain the right entitlements to gain access to the correct APIs.
The iOS API that Uber had access to was a private one, which means they technically should not have been able to use it, because private APIs are not allowed to be used for apps that are submitted to the iOS App Store. According to Ensign, Uber used the specific API back when the Apple Watch, which has an Uber app, could not handle map rendering. Ensign confirmed that the private API would be removed in a response to Will Strafach on Twitter:
API was used to render Uber maps on iphone & send to Apple Watch before Watch apps could handle it. It's not in use & being removed. Thx!
— Melanie Ensign (@iMeluny) October 5, 2017
The way that this came about, with Uber gaining access to a private API that could allow it to record the display of an unknown customer, is certainly strange. And, as it stands, while Strafach has asked Ensign how Uber was granted access to the entitlement and the private API, that remains unanswered at the time of publication.