Big Uber is watching you

This article is full of evil rays. Recently, I downloaded Uber for myself, and everyone liked the application, except for the permission set I asked myself to give.

The list of permissions that are needed for the application to work can be found in the AndroidManifest.xml file inside the APK. At the beginning we see only garbage:


')
However, the xml-apk-parser utility comes to the rescue.



Now we can see the list of permissions explicitly:

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"> </uses-permission> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"> </uses-permission> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"> </uses-permission> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"> </uses-permission> <uses-permission android:name="android.permission.CALL_PHONE"> </uses-permission> <uses-permission android:name="android.permission.CAMERA"> </uses-permission> <uses-permission android:name="android.permission.GET_ACCOUNTS"> </uses-permission> <uses-permission android:name="android.permission.INTERNET"> </uses-permission> <uses-permission android:name="android.permission.MANAGE_ACCOUNTS"> </uses-permission> <uses-permission android:name="android.permission.READ_CONTACTS"> </uses-permission> <uses-permission android:name="android.permission.READ_PHONE_STATE"> </uses-permission> <uses-permission android:name="android.permission.USE_CREDENTIALS"> </uses-permission> <uses-permission android:name="android.permission.VIBRATE"> </uses-permission> <uses-permission android:name="android.permission.WRITE_SETTINGS"> </uses-permission> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"> </uses-permission> <uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES"> </uses-permission> <permission android:name="com.ubercab.permission.C2D_MESSAGE" android:protectionLevel="0x00000002"> </permission> <permission android:name="com.ubercab.permission.NOTIFY_ACTION" android:protectionLevel="0x00000002"> </permission> <uses-permission android:name="com.ubercab.permission.C2D_MESSAGE"> </uses-permission> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"> </uses-permission> <uses-permission android:name="android.permission.WAKE_LOCK"> </uses-permission> 

What the heck? Does the taxi search application want access to my cell, my phone calls, my wifi neighbors and things like that? Wait, more fun.

 public void run() { Looper.prepare(); InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID); InAuthManager.getInstance().sendAccountsLog(this.val$transID); InAuthManager.getInstance().sendAppActivityLog(this.val$transID); InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID); InAuthManager.getInstance().sendAppInstallLog(this.val$transID); InAuthManager.getInstance().sendBatteryLog(this.val$transID); InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true); InAuthManager.getInstance().sendGPSLog(this.val$transID, true); InAuthManager.getInstance().sendMMSLog(this.val$transID); InAuthManager.getInstance().sendNetDataLog(this.val$transID); InAuthManager.getInstance().sendPhoneCallLog(this.val$transID); InAuthManager.getInstance().sendSMSLog(this.val$transID); InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true); InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID); InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID); } }); 

Where does all this go? What for? Something I don’t remember giving someone in Uber permission to read my SMS messages.

Who cares, can see the code here . I especially liked the hasHeartbleedVulnerability () method. Why do they need to know this?

Go ahead.



Do you see? Stericson.RootTools

Uber checks if there is a root on your device and sends this information to someone. It also searches for different types of malware, tracks the activity of some applications and does other interesting things.

I do not make unambiguous conclusions. Maybe I'm just paranoid. Be careful.

Via geronsec.com