A security company has found businesses that use Uber for their
employees are risking having their private data exposed.
Uber updated its software at the end of last year, which
triggered controversy for allowing it to
track locations of users well after their ride had ended.
That prompted tech security firm Appthority to analyse the flow
of data in and out of the Uber app, and it reported that the
latest app displayed a range of “risky behaviours” that were more
of a concern than in previous versions.
A major worry was that the newer versions of the popular
ridesharing app no longer enforced an encrypted connection,
through secure sockets layer (SSL) technology, to send data back
and forth — meaning it is exposed to snooping by third parties.
“It’s unclear why Uber removed SSL support and important to note
that not using proper data encryption during network transmission
may lead to man-in-the-middle attacks or the disclosure of
important information to unintended parties,” the report read.
This vulnerability, combined with Uber’s recent ability to track
location information outside of actual rides and access personal
information on the phone, meant that business-sensitive
information was at risk of falling into the wrong hands.
“Uber has the ability to track location not only for C-level
executives but also for salespeople, developers and other
enterprise employees whose location could signal some activities
that they don’t want revealed for business reasons,” stated the
“Employee location is very important business information and it
becomes more valuable when other contextual data are added. For
example, Uber can access not only the location of a meeting, but
also the meeting agenda (by accessing calendar) and the meeting
attendees and their contact information (by accessing address
Appthority’s report demonstrated the potential corporate impact
with a hypothetical.
“For instance, location data could show a C-level executive going
to a cancer clinic. Terminal illness of a C-level executive can
affect stock prices,” the report read.
“While this additional data sharing adds convenience, it also
increases the risks that private data is shared with unintended
or unknown parties, especially if the data is shared insecurely.”
Business Insider contacted Uber Australia for comment but had not
heard back at the time of writing.
The security company had three recommendations for businesses
concerned about Uber’s data handling practices:
- For enterprises for which the risks described above are
deemed unacceptable, the Uber app can be blacklisted for all
users or only for privileged users or another select group that
may be more high risk targets.
- If the enterprise security team chooses not to blacklist the
Uber app, they can educate employees to turn off location
services for the app. Uber will still function, the user just has
to type in the pickup address. Users may choose to do that anyway
to avoid the post-ride location tracking.
- As a general best practice, enterprises should educate their
employees that it is best not to give access to apps which
request access to another app unnecessarily. If access has
already been given, the user can revoke the access by going to
the user’s settings page on the Uber website, as follows: Go to
“https://login.uber.com/login”. Under Profile > Connected
Accounts, a list of apps connected to their Uber account is
shown. Users can simply disconnect them by clicking “Disconnect”.
Read more posts on Business Insider Australia