Uber allowed the Chinese servers of partner company Baidu to track the location all of its users around the globe, according to a study released Thursday. That study also found that Uber is failing to enforce its data encryption policies on more than half of its hundreds of app partners, leaving user data vulnerable to exploitation.
Titled "Uber: Security Risks Come Along with Your Ride," the study was conducted by Appthority, a San Francisco firm that specializes in helping enterprises and government agencies find secure mobile solutions. Appthority often analyzes popular apps, such as Uber, to determine whether its customers should use those services.
"We wanted to raise awareness, with the sheer number of apps that connect to Uber's services, what information they're collecting and the fact that it's not very well protected," said Domingo Guerra, Co-founder and President of Appthority.
The analysis of Uber revealed several points of concern that companies and government entities with sensitive information might want to consider before using the ride-hailing app for business purposes, Appthority said.
Of highest concern was Uber's partnership with Chinese tech giant Baidu. In most parts of the world, Uber uses Google for some of its location services, Appthority said, but because Google does not operate in China, Uber relied on the technology of Baidu to provide those types of services in that country until the company's app ceased to operate there late last year. As a result, the Uber app contained Baidu code that could send the data of all of Uber's users from around the world back to the company's servers in China. This is especially concerning considering that the Uber app asks users for permission to pull their location data even when the app isn't open on their smartphones, Appthority said.
"There are very strong connections between Chinese companies and the Chinese government's ability to collect or access information from those companies, so just the fact that there's a link back to a Chinese company on everyone's device without users knowing is also something to look into," Guerra said.
Uber denies that this code was ever used to track the locations of users outside of the U.S. The code was meant to serve those using the app within China, Uber said. The code was present in the Android of the version of the app since 2014 and was present in the iOS version since 2015. The company also said that a new version of its app that did not contain the Baidu code began rolling out in waves to iOS and Android users in early November. Appthority said it found the code in the version of the app that it analyzed as recently as December, and it said that Baidu continues to connect to Uber's API.
The most current version of Uber continues to contain lines of Baidu code, but Appthority said it has not yet concluded what that code is doing and plans to further analyze. However, the remaining Baidu code is not a run-time service, which means that it is not running constantly in the background of users' smartphones.
At this point, Appthority said it has not found any signs of abuse of this data, but allowing data of users outside of China to be stored in the country is a risky endeavor, said Su Mon Kywe, the lead security researcher behind the study.
John Dickson, a former U.S. Air Force intelligence officer and a principal at security specialist Denim Group, said that if a Chinese company has access to this type of data, he would expect the Chinese government to use big data analytics tools to sift through the information and track the location of key individuals, such as American government officials, politicians and businesspeople.
"I think that if you asked 10 security folks whether or not this data would fall into government hands, I think nine out of 10 would say that you can assume the Chinese would be cooperating with their government to make sure they have it," Dickson said.
Additionally, Appthority found that among the more than 600 apps tapping into Uber's data via the company's application program interfaces, or APIs, more than half of them are failing to properly encrypt the user data they pull from Uber.
Third-party apps connect with Uber for a variety of reasons. Some allow users to easily play music from their streaming accounts in their rides. Others deliver news articles to users within the Uber app. Some allow users to connect their social networks with the ride-hailing service while others allow users to hail cars from apps other than Uber's.
Although these services properly encrypt the data as it is pulled from Uber, they do not always use a secure protocol when connecting with the APIs of other companies. That leaves sensitive user data from Uber -- which may include ride history, payment history and pick-up and drop-off locations -- vulnerable to hackers.
Uber has policies that require its API partners to keep the data secure, but the Appthority team said it was able to confirm that this data is not being properly encrypted by Uber's partners.
"We were able to verify that it's something that anyone can do. It's pretty trivial if you know what to look for," said Guerra, explaining that by using the API tokens of certain partners, a hacker can "pretend to be that service and get any information there."
Companies that use Uber for Business to provide employees with rides may want to consider the company's handling of their data before continuing to use the service. Guerra said he can imagine scenarios where data can be exploited to track where companies' executives live or, perhaps more importantly, the places that they frequent.
For example, if a business executive's calendar integration into the Uber app showed that he's taking rides to the hospital for "cancer treatment once a month or once a week and anyone intercepts that -- if it's a publicly traded company, it could cause the stock to crash," Guerra said.
"We really feel that location tracking is identifiable to a user -- it's considered Personal Identifiable Information, or PII -- so it needs to have better security," Guerra said.
Uber denied claims that its partners are abusing the data collected by the company's app.
"We have strict terms of service for developers who use our APIs," a spokeswoman said in a statement. "Under this policy, user data can only be shared with API partners if the user gives their permission through the oauth process. In the case of trip history, only distance, type of Uber service, start and end time, and city are available. Exact pick-up or drop-off location is never shared. This policy is publicly available at: https://developer.uber.com/docs/riders/terms-of-use"
"Our terms of service also requires any Uber data or data otherwise related for a developer integration of the Uber API to be encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS)," the spokeswoman added. "Even if an app requests data from Uber's API without HTTPS, we redirect them to HTTPS before our server will respond."
Appthority said it shared the report with Uber via its support channel, but they have not received a formal response thus far.
The company could protect user data by simply better enforcing its API policies and shutting out partners that do not keep data secure, Kywe said.
"Uber needs to realize that it's Uber's reputation and it's Uber's users' information at risk whenever they allow just any third-party to access that data," Guerra said.
At this point, Appthority said companies with highly sensitive data should think twice before using Uber, or they should take extra steps to educate their employees on ways to use the service without putting their valuable information at risk. Another option to consider is Lyft, which has less API partners and only tracks users' location data when they open the Lyft app, Appthority said.
"Security researchers, whether individuals or companies, are always welcome to discuss any issues they believe they've found with Uber's security team by reporting it through our bug bounty program," the Uber spokeswoman said.