Uber's ride-hailing app has been granted unprecedented access to sensitive Apple features, allowing it to potentially record your iPhone screen and access personal information without your knowledge. This extraordinary entitlement is not disclosed in any consumer-facing information included with the app.

The revelation raises important questions for a company already under investigation for other controversial business practices. Uber claims the code was not being used and was simply a vestige of an earlier version of its Apple Watch app, but experts are sounding alarm bells.

"Granting such sensitive entitlement to a third-party is unprecedented," says Will Strafach, a security researcher who discovered the situation. "No other app developers have been able to convince Apple to grant them entitlements they've needed to let their apps utilize certain privileged system functionality."

How it Works

Most iPhone apps use an entitlement to enable features like the camera or Apple Pay. However, there are certain entitlements used only by Apple, giving its software tight integration with the iPhone. These sensitive bits have names that start with "com.apple.private," and they're considered so sensitive that any third-party app found using them is rejected from the App Store.

After digging into Uber's code, Strafach discovered it was using an entitlement called "com.apple.private.allow-explicit-graphics-priority." This is unusual, as no other app besides Apple's own apps has been granted access to this sensitive entitlement. Uber claims Apple gave permission for its earlier Apple Watch app to use the entitlement to render maps on the iPhone.

The Implications

This level of access could be used to record a user's screen without their knowledge, according to Thomas Jansen, founder of security research company Crissy Field. That's why Apple typically doesn't allow just any company to use private entitlements.

Apple has not commented on the matter, but experts speculate that its willingness to grant Uber this level of access may be due to its close relationship with the ride-hailing company. In 2015, Apple demonstrated the Uber app onstage when it introduced the Apple Watch, and Uber was a launch app for the device.

Trust Issues

Uber has previously been caught violating App Store rules, and it has a history of pushing boundaries when building software that may break laws or be unethical. The company's relationship with Apple is complex, with Uber receiving investment from the tech giant through its investment in Chinese ride-hailing company Didi Chuxing.

In 2016, Didi merged with Uber's Chinese subsidiary, and Kalanick resigned as CEO in June of that year. Uber's current CEO, Dara Khosrowshahi, has not publicly commented on the company's relationship with Apple, but he has addressed the company's culture of rule bending.

A recent change to iOS allowed Uber users to prevent the app from collecting their location while they weren't using it.