Mobile app security testing research from Appthority shows that Uber if exposing sensitive personal and corporate data. The problems are to their approach to encryption, privacy policies, location tracking, and physical security exposures.
The mobile app security testing research showed that Android app has increased the number of background services running from 0 in early 2015 to 26 in March 2017. There are now 600 third party apps and services integrated into Uber’s APIs. There is no way to monitor and track what data these services are collecting, where it fits into Uber’s privacy policy or the security of the third party services in use.
Uber for Business is an additional cause for concern, with location tracking on for all users that employees might want to be private, as well as permissions that might be accessing data concerning their business.
Mobile app security testing of the app showed that as Uber integrates with a growing number of third party services it is accessing more user information that might be confidential. There are unencrypted connections with remote servers on 84% of the app using the time estimates API and 61% using the history API.
In addition, 15 integrated third-party apps are exposing secret tokens and new releases of the app are failing to use HTTPs for data transmission.
In the past we have looked at Uber’s efforts to tackle its mobile app’s security issues with a bug bounty program and some of the more worrying vulnerabilities that mobile app security testing has shown. It looks like Appthority’s research is going to be added to the long list of problems giving Uber a headache at the moment.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.