Market Overview

Appthority Research Finds Uber Puts Sensitive Personal and Corporate Data at Risk

Share:





Today, Appthority,
the global leader in enterprise mobile threat protection, published research
that revealed Uber's ride-sharing app is putting sensitive personal and
corporate data at risk. Uber's updated and incomplete privacy policies,
excessive location tracking and the company's "moving experience" make
users' smartphones susceptible to spear
phishing
and watering
hole
attacks, physical security exposures, and widespread privacy
breaches.

Among the most alarming findings in Appthority's research is the fact
that Uber has increased the number of services running in the background
of its Android app from none in early 2015 to 26 as of its latest
release in March 2017. In addition, there are now more than 600
third-party apps and services integrating with Uber's Application
Programming Interfaces (APIs)
. These trends raise security and
privacy concerns, as these services may be accessing data that is being
collected even when the app is not in use and they may not be following
Uber's privacy policy or handling the data securely.

"Uber's app and connected convenience apps are a direct threat to
personal and corporate data," said Dr. Su Mon Kywe, Appthority's lead
Research Scientist on this investigation. "With its latest app and
privacy policy updates, Uber has been moving in the direction of asking
for more user information but also is not enforcing secure connections
or strong privacy policies when accessing or sharing that data.
Enterprise security departments should be deeply concerned about Uber's
security practices."

With the introduction of Uber for Business, organizations should be
especially wary of the app. Uber has the ability to track the location
of all riders, including C-level executives, salespeople, developers and
other employees whose whereabouts could signal activities they don't
want revealed. In addition to collecting location data, the app's
permissions may also enable access to meeting agendas, attendees, and
attendees' contact information. Appthority recommends that users turn
off the app's location services permission and manually enter their
pickup location to prevent extended location tracking.

Researchers on the company's Mobile Threat Team used the Appthority
Mobile Threat Protection
solution to analyze the Uber app and 633
third-party apps that are integrated with Uber for the enriched in-app
experience. They assessed app behaviors and compared the risky behaviors
in the 2015 and 2016 Uber app versions to observe changes over time.

Additional findings from Appthority's Enterprise Mobile Threat Research
show that:

  • As Uber expands its integration with other apps, it has access to more
    user information, which could be confidential or private.
  • 84% of the apps using the /estimates/time API and 61% of the apps
    using the /history API are using unencrypted connections with remote
    servers.
  • 15 integrated third-party apps are leaking their secret tokens used
    for communicating with Uber.
  • The newer versions of Uber apps do not enforce HTTPS connections and
    started sending data unencrypted.
  • Uber's privacy policies are incomplete, and therefore mislead
    enterprises who rely on privacy policies to evaluate app risk.

The full enterprise mobile threat research report, entitled ‘Uber:
Security Risks Come Along with Your Ride' can be downloaded here.

About Appthority Mobile Threat Research

Appthority's Mobile Threat Team (MTT) monitors and investigates mobile
risks that pose a direct threat to mobile enterprises. Their goal is to
provide research that educates and informs enterprises looking to
protect their people, data, devices, apps, and networks from mobile
risks. The MTT is comprised of top mobile security researchers and
threat analytics managers who use their experience and expertise to
develop best-in-class research insights. The team prides itself on
delivering unique, accurate and practical perspectives that help our
enterprise audience understand mobile risks and focus on the most
impactful threats.

About Appthority

Appthority is a pioneer in enterprise mobile security and the leader in
the Mobile Threat Defense category. The comprehensive Appthority Mobile
Threat Protection (MTP) solution helps customers keep their data private
and secure from mobile device, app and network threats. More Fortune
1000 companies trust Appthority to secure their enterprises from mobile
threats because Appthority delivers best-in-class mobile threat
protection and unparalleled enterprise visibility and control of mobile
risks. With Appthority, security teams are informed, employees are
productive and enterprise data is kept private and secure. Learn more at www.appthority.com.

View Comments and Join the Discussion!