Uber's app could identify iPhones even after they'd been wiped.

Uber is no stranger to trouble, but it may have landed in some especially hot water two years ago. New York Times sources claim that Apple CEO Tim Cook held a face-to-face meeting in early 2015 to call out Uber's Travis Kalanick (and threaten to remove his app from the App Store) after learning that Uber was not only violating iOS app privacy guidelines, but was trying to cover it up. Reportedly, the ridesharing outfit had been "fingerprinting" iPhones with permanent identities so that it could prevent drivers from cheating by creating fake accounts and accepting rides from these bogus customers. The IDs would last even after the app was deleted or the entire phone was wiped. While this helped keep drivers honest, it was clearly a privacy violation -- and it was made worse by Uber's bid to hide the tracking from App Store reviewers.

Reportedly, Kalanick told staff to "obfuscate" the Uber app's fingerprinting code for anyone operating from Apple's current headquarters in Cupertino. As far as the people at Infinite Loop could see, it was business as usual. However, the trick didn't work for long. Apple workers outside of the headquarters eventually spotted the shady behavior, leading to the meeting with Kalanick. The approach isn't that uncommon for Uber (it recently admitted that it used location-based techniques to fool regulators), but it's particularly brazen given the risk of being dropped from the App Store and losing millions of customers.

Apple isn't commenting on the meeting with Cook, and we've reached out to Uber for its take on the allegations. However, it's safe to say that Uber would like to leave an issue like this in the past. The company is trying to turn a corner, and Kalanick himself is looking for a second-in-command to keep his boundary-pushing tendencies in check. This revelation certainly won't help matters, though. It reinforces the notion that Uber is all too willing to break rules in the name of money, even if it's motivated by honest concerns like fraud.

Update: Uber has responded to Engadget, and maintains that its staff "absolutely do not" track individual users after they've deleted the app. At present, it spots potential fraud through a mix of common red flags (such as unusual IP addresses and GPS locations) and undisclosed methods. The company adds that fingerprinting is a "typical way" of preventing people from using stolen phones for joyrides, and otherwise thwarting "known bad actors." You can read the full statement below. It's good to hear that the company isn't tracking people, but the heart of the story revolves around hardware fingerprints -- those still violated Apple's privacy guidelines, even if Uber couldn't definitively associate phones with specific customers.

"We absolutely do not track individual users or their location if they've deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users' accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

Source:
courtesy of ENGADGET

by Jon Fingas

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]