Uber has denied that code in a previous version of its app from a Chinese partner company was used to track the location of users outside of the Asian country.
The company issued a statement a day after a team of cybersecurity researchers told Inc. that they had found code in a November 2016 version of the Uber app that allowed Chinese tech giant Baidu to send the data of all of Uber's users from around the world back to the company's servers in China.
"Baidu's public SDK [software development kit] was disabled on the Uber app everywhere outside of China and was used only to enable U.S. riders to use Uber services while traveling in China without downloading a separate app," a company spokeswoman said on Friday. "In 2016, Uber ceased operations in China and subsequently, the Baidu SDK is not included in the latest version of the Uber app."
The Baidu code in the Uber app was found by Appthority, a company based in San Francisco that specializes in helping enterprises and government agencies find secure mobile solutions. Appthority analyzed a version of Uber's app that contained various lines of Baidu code. Appthority told Inc. that this code could track the user location data of Uber users in U.S. and other parts of the world outside of China.
Appthority said it did not find any evidence that the code was used to track users outside of China. Appthority said there are still lines of code in the latest version of Uber. The company said the latest version of this code is not running constantly in the background of users' smartphones, but Appthority said it plans to continue analyzing what exactly this code can do.
John Dickson, a former U.S. Air Force intelligence officer and a principal at security specialist Denim Group, said this type of code being present in the Uber app was "pretty scary." Dickson added that the Chinese government, which is known for surveilling American businesses operating in China, has the resources to make use of the type of data that Baidu could have culled from Uber.
"If you're clever enough, if you have enough time and resources, you could do a lot of stuff with this data," said Dickson, adding that it could have potentially been used to track the whereabouts of American businesspeople and government officials.
Appthority's Uber findings come after a series of public relations fiascos for the ride-hailing company, which has had to deal with allegations of sexism, sexual harassment, government circumvention, and trade secret theft in the past month.