On Uber’s ‘Identifying and Tagging’ of iPhones

Mike Isaac’s profile of Uber CEO Travis Kalanick for The New York Times contains an accusation that, on its face, sounds outrageous:

For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple’s engineers. The reason? So Apple would not find out that Uber had been secretly identifying and tagging iPhones even after its app had been deleted and the devices erased — a fraud detection maneuver that violated Apple’s privacy guidelines. But Apple was on to the deception, and when Mr. Kalanick arrived at the midafternoon meeting sporting his favorite pair of bright red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve heard you’ve been breaking some of our rules,” Mr. Cook said in his calm, Southern tone. Stop the trickery, Mr. Cook then demanded, or Uber’s app would be kicked out of Apple’s App Store. For Mr. Kalanick, the moment was fraught with tension. If Uber’s app was yanked from the App Store, it would lose access to millions of iPhone customers — essentially destroying the ride-hailing company’s business. So Mr. Kalanick acceded.

“Secretly identifying and tagging iPhones even after its app had been deleted and the devices erased” is a rather startling accusation, because it sounds like it should be technically impossible. It’s also very much unclear what information Uber was able to glean from these “identified and tagged” iPhones other than some sort of unique device identifier. Unfortunately, the Times story is very short on details here. But note that the Times is not saying Uber was “tracking” these phones. A lot of people are jumping to the conclusion that Uber was somehow tracking the location of users even after they deleted the Uber app, but the word “track” only appears in the article in the context of Kalanick having “excelled at running track and playing football” in high school.

[Update: This explains a lot, regarding the hubbub today over this story. When first published, the Times story did use the word “tracking”, but a subsequent revision changed that word to “identifying and tagging”.]

Reading between the lines, it is possible — and my gut says quite probable — that Uber wasn’t doing anything on these iPhones other than when its app was installed and running on them. From the end of the article:

The idea of fooling Apple, the main distributor of Uber’s app, began in 2014. At the time, Uber was dealing with widespread account fraud in places like China, where tricksters bought stolen iPhones that were erased of their memory and resold. Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way. To halt the activity, Uber engineers assigned a persistent identity to iPhones with a small piece of code, a practice called “fingerprinting.” Uber could then identify an iPhone and prevent itself from being fooled even after the device was erased of its contents. There was one problem: Fingerprinting iPhones broke Apple’s rules. Mr. Cook believed that wiping an iPhone should ensure that no trace of the owner’s identity remained on the device.

What Isaac is reporting here doesn’t require any code running on an iPhone other than when the Uber app is itself installed and launched. I’m speculating here, but it could be something like this:

The Uber app, while installed, fingerprints the device somehow, and reports the fingerprint home to Uber’s servers, where it is tied to the user’s Uber account. (All iPhones have a Unique Device Identifier — “UDID” — but Apple banned third-party apps from accessing it in 2012. Uber either found a way to access UDIDs surreptitiously, or created some other way of uniquely identifying devices even after they’ve been wiped. It would be good to know exactly what they did, but for the sake of my argument here it doesn’t matter.) The Uber app is deleted from the device and/or device is wiped. At this point, Uber knows the fingerprint for the device, but can’t use it to track the device in any way, and they don’t care, because until someone reinstalls the Uber app on the phone it isn’t being used to book fraudulent rides. The Uber app is reinstalled on the iPhone. When it launches, it does the fingerprint check and phones home again. Uber now knows this is the same iPhone they’ve seen before, because the fingerprint matches. This is the violation of Apple’s privacy policy.

But until step 3, when the Uber app is reinstalled, I don’t think Uber was “tracking” the phone in any way. And they didn’t care — the Times says the whole project was designed to counter fraud in China, which required the Uber app to be reinstalled on stolen iPhones.

Repeating from the opening of the article, Isaac wrote:

So Apple would not find out that Uber had been secretly identifying and tagging iPhones even after its app had been deleted and the devices erased — a fraud detection maneuver that violated Apple’s privacy guidelines.

That sounds like Uber was doing the identifying and “tagging” (whatever that is) after the app had been deleted and/or the device wiped, but I think what it might — might — actually mean is merely that the identification persisted after the app had been deleted and/or the device wiped. That’s not supposed to be technically possible — iOS APIs for things like the UDID and even the MAC address stopped reporting unique identifiers years ago, because they were being abused by privacy invasive ad trackers, analytics packages, and entitled shitbags like Uber. That’s wrong, and Apple was right to put an end to it, but it’s far less sensational than the prospect of Uber having been able to identify and “tag” an iPhone after the Uber app had been deleted. The latter scenario only seems technically possible if other third-party apps were executing surreptitious code that did this stuff through Uber’s SDK, or if the Uber app left behind malware outside the app’s sandbox. I don’t think that’s the case, if only because I don’t think Apple would have hesitated to remove Uber from the App Store if it was infecting iPhones with hidden phone-home malware.

The article does raise some questions:

What APIs and device info was Uber using to identify iPhones? Are these API loopholes now closed in iOS? If we don’t learn exactly what Uber was using to identify devices, we cannot know that the technique no longer works. iOS users should be able to feel confident that when they delete an app, all connections between their device and the developer of the app are disconnected, and that when they wipe a device, everything personally identifying has been removed from it.

What exactly did Apple know about Uber’s actions in this regard when Tim Cook called Kalanick in for the meeting? Was Apple aware that Uber was specifically keeping a database of unique iPhone identifiers? If so, how?

What prompted Apple to investigate Uber in this regard? And why did Uber suspect Apple was going to investigate, prompting them to geofence their fingerprinting so it wouldn’t trigger in Cupertino? (My theory: the Uber app was calling private APIs, and they used the geofence to avoid calling those private APIs while the app was in App Store review, assuming, perhaps incorrectly, that all App Store reviewers work in Cupertino. App Store review can identify apps that call private APIs.)

Update: Why didn’t Apple require Uber to disclose what they’d done as a condition for remaining in the store? Shouldn’t iPhone users who had Uber installed know about this?

[Update 2: Will Strafach examined a 2014 build of the Uber iOS app and found them using private APIs to use IOKit to pull the device serial number from the device registry. There might be more, but this alone is a blatant violation of App Store policy. Strafach confirms that the technique Uber was using no longer works in iOS 10.]

The article also contains this non-Apple-related tidbit:

Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. Uber used the data as a proxy for the health of Lyft’s business. (Lyft, too, operates a competitive intelligence team.) Slice confirmed that it sells anonymized data (meaning that customers’ names are not attached) based on ride receipts from Uber and Lyft, but declined to disclose who buys the information.

This is, needless to say, super shitty. We expect it from Uber. But Slice should be ashamed of themselves. Their Unroll.me service is billed as a tool to “Clean up your inbox” by identifying subscription emails and allowing you to unsubscribe from them in bulk. It’s “free” in the sense that you don’t pay them money, but they’re selling your personal information to companies like Uber. Supposedly that information is anonymized, but wiped iPhones are supposed to be anonymized too, and Uber found at least one route around that.