Today, Appthority, the global leader in enterprise mobile threat protection, published research that revealed Uber’s ride-sharing app is putting sensitive personal and corporate data at risk. Uber’s updated and incomplete privacy policies, excessive location tracking and the company’s “moving experience” make users’ smartphones susceptible to spear phishing and watering hole attacks, physical security exposures, and widespread privacy breaches.
With the introduction of Uber for Business, organizations should be especially wary of the app. Uber has the ability to track the location of all riders, including C-level executives, salespeople, developers and other employees whose whereabouts could signal activities they don’t want revealed. In addition to collecting location data, the app’s permissions may also enable access to meeting agendas, attendees, and attendees’ contact information. Appthority recommends that users turn off the app’s location services permission and manually enter their pickup location to prevent extended location tracking.
Researchers on the company’s Mobile Threat Team used the Appthority Mobile Threat Protection solution to analyze the Uber app and 633 third-party apps that are integrated with Uber for the enriched in-app experience. They assessed app behaviors and compared the risky behaviors in the 2015 and 2016 Uber app versions to observe changes over time.
Additional findings from Appthority’s Enterprise Mobile Threat Research show that:
- As Uber expands its integration with other apps, it has access to more user information, which could be confidential or private.
- 84% of the apps using the /estimates/time API and 61% of the apps using the /history API are using unencrypted connections with remote servers.
- 15 integrated third-party apps are leaking their secret tokens used for communicating with Uber.
- The newer versions of Uber apps do not enforce HTTPS connections and started sending data unencrypted.
- Uber’s privacy policies are incomplete, and therefore mislead enterprises who rely on privacy policies to evaluate app risk.
The full enterprise mobile threat research report, entitled ‘Uber: Security Risks Come Along with Your Ride’ can be downloaded here.