Apple has granted un undocumented private app permission that allows Uber to record anything on an iPhone screen without your knowledge.
Security researcher Will Strafach discovered this feature which has apparently existed on apps of jailbroken devices without permission from Apple.
However, what makes this case unique is that Uber is the only third-party app to be given private access to the feature by Apple. This was a conclusion made by Mr Strafach after indexing the binaries of thousands of apps.
Luca Todesco, Apple expert and jailbreak author, said apps can generally only write to the iPhone's framebuffer – a part of the phone's memory that contains pixel and display data. However, this permission means that Uber was given the ability to read or write.
"Writing is always possible from an app using normal rendering services, which draw to framebuffer on your behalf," he said to ZDNet t. "Reading allows you to look at the device's screen."
According to Mr Todesco, this is the same as giving Uber the ability of keylogging – the use of a computer program to record every keystroke made by a user, especially in order to gain fraudulent access to passwords and other private information.
"I find this very frightening and dangerous," he said.
The feature also "paints a pretty big target on top of the app" for hackers looking to exploit the permission, the Apple expert added.
According to an Uber spokesman, the code had been implemented to improve rendering on its Apple Watch app.
"it's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production," said the spokesman.
"This API would allow maps to render on your phone in the background and then be sent to your Apple Watch."
Uber explained that subsequent updates to the Apple Watch and its own app had improved rendering, so the company would be completely removing the function.
This isn't the first time Uber has been exposed for privacy issues. The New York Times reported that the company had violated Apple's rules after it was revealed that it had been tracking iPhones after the app was deleted.
Mr Strafach explained that he was shocked to see that even after Tim Cook, Apple chief executive, threatened to kick Uber out of the App Store, the company somehow managed to convince Apple to "let them have exclusive access to this privileged entitlement."
"It seems they got special treatment and do not want to directly admit it," he added.
Apple has yet to comment.
