Ever had the feeling that you were being watched? Well if you own an iPhone there is a chance that you may have been. A recent New York Times report has shown that Uber tracked users’ iPhones, even after the app was deleted.
Uber exploited a loophole in Apple’s system that allowed them to pinpoint individual phones . This culminated in a meeting between Travis Kalanick and Tim Cook. The Apple boss threatened to pull the app from the apple store unless Uber ceased tracking its users. Losing access to the App Store would have crippled the ride sharing giant.
How did they do it?
Uber tracked users by inserting code into their app that allowed them to identify phones that deleted the Uber app and then subsequently re-installed it. The tracking relied upon a technique called “fingerprinting” that let Uber identify a phone. They then kept this information and looked for phones that re-installed the app at a later date. Using this method Uber was able to identify an individual phone even it had been wiped clean because the “fingerprint” is persistent.
While Apple originally used Unique Device Identifiers, an ID that persisted across installs, they were phased out as consumers became more concerned about privacy. Apple has replaced these with other trackers, such as advertising IDs and Vendor IDs. None of these replacements persists across devices. So what identifier was Uber using if not UDIDs?
According to Will Strafach of the Sudo Security group; Uber secretly included code in their App that allowed them to grab information from a device’s directory that they would normally be unable to access. This allowed them to ascertain a device’s serial number, which would persist across installs, even if the phone was completely wiped. This then gave Uber a unique identifier with which to track phones, even if their app was removed or the phone was formatted.
Uber claimed that it was necessary for them to track users in order to combat fraud. It prevented a practice where drivers would register themselves on multiple phones and request large numbers of expensive rides in order to boost their bonuses.
Why was Apple angry?
The move was a blatant violation of Apple’s privacy policies and at no point where users explicitly informed that their phones information was being collected in this manner. To make matters worse, it appears that Uber was fully aware they were breaching Apples terms. Uber software engineers took steps to hide the subterfuge by Geo-fencing Apples Cupertino headquarters.
The trick was eventually spotted by Apple engineers from another office which culminated in Mr Cook summoning Mr Kalanick to the meeting. Apples threat was very real, if they had pulled Uber’s app from their store it would have crippled and likely destroyed the ride sharing company.
While Uber agreed to stop the practice they do still use some form of fingerprinting in order to combat fraud but stress that they do not track individual users or their locations if they have deleted the ap.
What does this mean for Uber?
This is just the latest in a string of scandals for the embattled ride sharing giant. They have lost numerous execs, been kicked out of Italy and are embroiled in a sexual harassment scandal. While Uber will likely escape from these revelations mostly unscathed it is the last thing the company needs at this point. Consumers have become more concerned about their privacy in recent years and the news that Uber tracked users will likely damage their confidence.
The fact that Uber almost lost access to Apple’s App store further highlights that Mr Kalanick is willing to ignore any rules if he believes it will help him win. Even if he risks destroying his company’s future.