The Hidden Face of Uber: Behaviors & Vulnerabilities

Posted by Roxane Suau on October 12, 2017

Lately in the news, we’ve read a lot about popular apps performing malicious and intrusive behaviors. The fact is that as users, we only see a tiny part of the actions performed by mobile apps, the rest of them being silently executed. Comparable to an iceberg, 90% of an app’s actions are hidden and consequently, hard to control.

iceberg.png

To provide a proper service, an app needs to access some data such as the user’s location, its list of contacts, its photo gallery… Once collected, those data are either placed in some local files, sent over the network to a distant server, or both. When users allow an app to access a particular data or content, they assume the app will only use it to execute properly. However, apps often go further than that and it has become difficult to define where the line is between convenience and data leakage.

Our behavioral analysis engine scans thousands of mobile apps every day and the results are unequivocal: most apps overly process the data they collect, sometimes raising ethical questions.

 

As the Uber app has recently made the headlines, we decided to publish the key elements detected by our engine on this application. Here are the main outcomes:

  • The app sends user information and phone data to 9 known distant servers (analytics, payment, ads...)
  • The app sends user’s contacts information over the network (name and phone number)
  • The app features 3 OWASP vulnerabilities
  • The app checks if the device is rooted to run specific commands

 

DETECTED BEHAVIORS

The app checks if the device is rooted to run specific command

The app generates a public encryption key (to encrypt content, or to verify the signature of messages

it receives and the identity of the sender)

The app generates a private encryption key (to sign content, or decrypt messages it receives)

The app plays an audio or video record

The app changes the camera settings

 

 

DATA SENDING

This table shows an extract of what data is sent to which distant server.

DESTINATIONS

DATA SENT

https://www.paypalobjects.com (Paypal library)

https://logs.juspay.in (Payment tracking)

https://settings.crashlytics.com (Crash report monitoring)

https://api.paypal.com (Paypal API)

https://paypal.112.2o7.net (Paypal third-party server)

https://api-m.paypal.com (Paypal API)

User data

Contacts information (name, phone number…)

User location

 

Phone data

Device identifier :IMEI, Hardware serial number

Mobile network information: Service provider name, network type (3G, 4G, UMTS…)

Network information: MAC address, Wi-Fi connection state

Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number

 

https://googleads.g.doubleclick.net (Google Ads server)

User data

Contacts information (name, phone number…)

User location

 

Phone data

Device identifier :IMEI, Hardware serial number

Mobile network information: Service provider name, network type (3G, 4G, UMTS…)

Network information: MAC address, Wi-Fi connection state

Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number

 

App data

App's preferences         

File coming from app static data (data compiled in the app)

 

https://csi.gstatic.com (Delivers static content for Google)

https://www.google.com (Google)

User data

Contacts information (name, phone number…)

User location

 

Phone data

Device identifier :IMEI, Hardware serial number

Mobile network information: Service provider name, network type (3G, 4G, UMTS…)

Network information: MAC address, Wi-Fi connection state

Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number.

 

App data

Cache file

 

 

OWASP VULNERABILITIES DETECTED

LOG: The app writes data in log files. A third-party app may execute a command that allows it to read the logs that might contain potentially sensitive data.

IMPLICIT-INTENT: A malicious activity or service can intercept an implicit intent and be started instead of the intended activity or service. This could result in the interception of data or in a denial of service.

X.509TRUSTMANAGER: Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making the app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

 

Application analyzed: 

Uber - Android version 4.173.3

sha1: 0526cee8bce8fd86fe0f880882244bf830f4392c

Package: com.ubercab

 


 

Discover PRADEO SECURITY behavioral analysis engine

 

 

Topics: Mobile Application Security