Appthority, the global leader in enterprise mobile threat protection, today (March 10) revealed that Uber’s app is putting sensitive personal and corporate data at risk — a claim that the popular ride-sharing company was quick to refute in an email to PYMNTS.
But Uber is defending the safety and security of its app, saying that Appthority actually tested outdated versions of it, not the versions currently in the Google or Apple app stores.
“Uber’s enterprise services use a different set of APIs than our consumer services, so none of the APIs in this report affect our B2B customers,” said Melanie Ensign, security and private communications at Uber. “We certainly don’t have more than 600 apps connected to our Uber for Business platform.”
Ensign also noted that the company uses strict terms of service for developers who use its APIs, restricting the kind of information that can be shared and refusing to reveal anything without permission from the user. Uber utilizes OAuth implementation, an open protocol and industry standard used by companies like Facebook and Yelp to allow secure authorization with developers.
“However, sensitive Uber location information like pickup or drop-off location is never shared,” said Ensign. “Our terms of service also requires any Uber data or data related to developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., https). Even if an app requests data from Uber’s API without https, we automatically redirect them to https before our server will respond. That way, the information is always encrypted.”