The UberDriver app has leaked. There is currently no way for Uber to stop it from being distributed. And the heads of two Boston startups specializing in app development and security believe this is a major breach that calls into question the decision-making of the ridesharing industry’s biggest name.
The leak is “dreadful,” AppBlade president James Daniels told BostInno Monday afternoon. “This is really bad.”
“This is Uber’s network, their entire site … their business model has been compromised.” – James Daniels, AppBlade President
AppBlade is a Boston-based startup that specializes in mobile device management, development and security. They work with big names, including PayPal and Storify. Daniels’ expertise is in making sure applications developed for enterprise companies are protected; if an app is leaked, a company like AppBlade can shut it down and prevent people who shouldn’t have access to it from using it.
“It’s one thing that the app leaked,” Daniels said, adding, “it’s another thing that it can be used” – with an existing driver’s account information. “You can fake being an UberDriver with this app.”
I, technically, have.
I came across the link to download the UberDriver app on a Reddit subthread last week. “The link has already been turned off,” said Raizlabs CEO Greg Raiz. Raiz is a director of AppBlade, which spun off from Raizlabs at the beginning of this year.
Monday afternoon I sent Raiz the link that allowed me to download the UberDriver app on my iPhone 5S. That link is now defunct – but that doesn’t mean Uber’s problem no longer exists. When I downloaded the UberDriver app, my iPhone 5S was updated; located under General Settings, in my phone’s Profile, “Uber Wildcard Enterprise” has been installed. This type of application is built by a developer for a specific company’s use only – and it’s unrestricted.
“These comments are ridiculous and irresponsible. At Uber we pride ourselves on using state of the art technology to ensure a safe ride…”
“If the build is out there, someone can distribute it,” Raiz said.
There are four ways of distributing an app, I learned: Apple’s App Store; a special business (B2B) App Store; an “Ad-hoc” class for developers; and an “Enterprise” class. The UberDriver app falls into this “Enterprise” category. (The screenshot pictured above was taken off my phone.)
Instead of going through the App Store, companies can distribute their Enterprise apps to employee devices.
In other words, Enterprise apps are private. Part of Apple’s terms and conditions stipulate that a formal relationship between the app developer(s) and the company exists, before the app is installed on a device. Enterprise apps are supposed to be monitored by Apple, and the companies they are built for are supposed to be vetted, Daniels said.
Enterprise licenses can be revoked by Apple, but this “rarely” happens, he said.
An Apple technician at the Apple Store on Boylston St. said Monday afternoon that Enterprise applications are typically distributed through encrypted, secure emails. I showed the technician the Uber Wildcard Enterprise setting on my phone. The technician said the only examples of this that he is familiar with have involved jail-broken phones – phones that have been hacked, had their iOS system wiped and reinstalled.
The link I downloaded, the technician said, had been designed to bypass the Apple store like an Enterprise app can do, but I was able to download it without accessing any encrypted email.
Uber “really did not put any security into the [UberDriver app],” Daniels said, adding, “So many simple things could have been done” to prevent the app from being downloaded by someone who has not been hired as an Uber driver. This leak has made him question Uber as a company, he said.
In a statement provided to BostInno Monday night, Uber responded to Raiz’ and Daniels’ comments:
These comments are ridiculous and irresponsible. At Uber we pride ourselves on using state of the art technology to ensure a safe ride, including a number of fraud prevention techniques and algorithms. Throughout the testing of this limited availability BYOD beta, additional anti-fraud features are continually being built into the program. It’s also important to note that attempting this type of fraud is not only explicitly prohibited by our terms and conditions – it’s illegal.
“I stand by what I said,” Daniels told BostInno Tuesday morning. “From what I understand of the situation, it seems that the possibility of the driver application getting leaked wasn’t even considered, the minimum effort not taken, and that’s irresponsible. Security is hard, even if you try you’ll likely fail against a determined attacker—but you have to try.”
In an August 27 blog post, Uber announced the rollout of its BYOD (Bring Your Own Device) program. Now, in select cities, including Boston and San Francisco, Uber drivers are allowed to turn in their company-provided iPhone and have the UberDriver app downloaded onto their personal iPhone 4S or newer. The BYOD program is why the app leaked, and why I was allowed to download it.
“Are they really this cavalier?” Daniels questioned, when first made aware of the leak Monday afternoon. “This is [Uber’s] network, their entire site … their business model has been compromised.”