Appthority: Uber App Puts Personal, Corporate Data At Risk

Uber China

Appthority, the global leader in enterprise mobile threat protection, today (March 10) revealed that Uber’s app is putting sensitive personal and corporate data at risk — a claim that the popular ride-sharing company was quick to refute in an email to PYMNTS.

According to a press release, Appthority claims the Uber app leaves users open to spear phishing, watering-hole attacks and widespread privacy breaches. The report blames the app’s incomplete privacy policy, location tracking and “moving experience” as the main issues putting the data at risk. In addition, the report also found that the newer versions of Uber apps don’t enforce https connections and are sending data unencrypted, and there are now more than 600 third-party apps and services integrating with Uber’s application programming interfaces (APIs).

“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead research scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”

But Uber is defending the safety and security of its app, saying that Appthority actually tested outdated versions of it, not the versions currently in the Google or Apple app stores.

“Uber’s enterprise services use a different set of APIs than our consumer services, so none of the APIs in this report affect our B2B customers,” said Melanie Ensign, security and private communications at Uber. “We certainly don’t have more than 600 apps connected to our Uber for Business platform.”

Ensign also noted that the company uses strict terms of service for developers who use its APIs, restricting the kind of information that can be shared and refusing to reveal anything without permission from the user. Uber utilizes OAuth implementation, an open protocol and industry standard used by companies like Facebook and Yelp to allow secure authorization with developers.

“However, sensitive Uber location information like pickup or drop-off location is never shared,” said Ensign. “Our terms of service also requires any Uber data or data related to developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., https). Even if an app requests data from Uber’s API without https, we automatically redirect them to https before our server will respond. That way, the information is always encrypted.”