Howdy ho!

This is one of those interim posts where I’m not posting something cool, but rather something that’s bothering me. You know, like a blog post?

Anyways, I downloaded Uber the other day and its pretty cool and handy. The only qualm I had was with all the permissions it asked for.

You can see the permissions the app wants to use by viewing the “AndroidManifest.xml” file inside the APK. just open the thing with 7zip and view it. Unfortunately doing this will yield garbage data.

The easiest way I’ve seen is to use a tool like xml-apk-parser.



Now we can get a clearer picture of what the heck it wants permission to use:



<uses-permission android:name= "android.permission.ACCESS_COARSE_LOCATION" > </uses-permission> <uses-permission android:name= "android.permission.ACCESS_FINE_LOCATION" > </uses-permission> <uses-permission android:name= "android.permission.ACCESS_NETWORK_STATE" > </uses-permission> <uses-permission android:name= "android.permission.ACCESS_WIFI_STATE" > </uses-permission> <uses-permission android:name= "android.permission.CALL_PHONE" > </uses-permission> <uses-permission android:name= "android.permission.CAMERA" > </uses-permission> <uses-permission android:name= "android.permission.GET_ACCOUNTS" > </uses-permission> <uses-permission android:name= "android.permission.INTERNET" > </uses-permission> <uses-permission android:name= "android.permission.MANAGE_ACCOUNTS" > </uses-permission> <uses-permission android:name= "android.permission.READ_CONTACTS" > </uses-permission> <uses-permission android:name= "android.permission.READ_PHONE_STATE" > </uses-permission> <uses-permission android:name= "android.permission.USE_CREDENTIALS" > </uses-permission> <uses-permission android:name= "android.permission.VIBRATE" > </uses-permission> <uses-permission android:name= "android.permission.WRITE_SETTINGS" > </uses-permission> <uses-permission android:name= "android.permission.WRITE_EXTERNAL_STORAGE" > </uses-permission> <uses-permission android:name= "com.google.android.providers.gsf.permission.READ_GSERVICES" > </uses-permission> <permission android:name= "com.ubercab.permission.C2D_MESSAGE" android:protectionLevel= "0x00000002" > </permission> <permission android:name= "com.ubercab.permission.NOTIFY_ACTION" android:protectionLevel= "0x00000002" > </permission> <uses-permission android:name= "com.ubercab.permission.C2D_MESSAGE" > </uses-permission> <uses-permission android:name= "com.google.android.c2dm.permission.RECEIVE" > </uses-permission> <uses-permission android:name= "android.permission.WAKE_LOCK" > </uses-permission>

Christ man! Why the hell would it want access to my camera, my phone calls, my wifi neighbors, my accounts, etc? We’ll see in just a second.

public void run() { Looper. prepare (); InAuthManager. getInstance (). updateLogConfig ( this . val $URL, this . val $acctGUID); InAuthManager. getInstance (). sendAccountsLog ( this . val $transID); InAuthManager. getInstance (). sendAppActivityLog ( this . val $transID); InAuthManager. getInstance (). sendAppDataUsageLog ( this . val $transID); InAuthManager. getInstance (). sendAppInstallLog ( this . val $transID); InAuthManager. getInstance (). sendBatteryLog ( this . val $transID); InAuthManager. getInstance (). sendDeviceInfoLog ( this . val $transID, true ); InAuthManager. getInstance (). sendGPSLog ( this . val $transID, true ); InAuthManager. getInstance (). sendMMSLog ( this . val $transID); InAuthManager. getInstance (). sendNetDataLog ( this . val $transID); InAuthManager. getInstance (). sendPhoneCallLog ( this . val $transID); InAuthManager. getInstance (). sendSMSLog ( this . val $transID); InAuthManager. getInstance (). sendTelephonyInfoLog ( this . val $transID, true ); InAuthManager. getInstance (). sendWifiConnectionLog ( this . val $transID); InAuthManager. getInstance (). sendWifiNeighborsLog ( this . val $transID); } });

Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow uber accedes to my phone calls and sms messages. Bad NSA-Uber.

There’s a lot of code to go over. The thing is about 7.5 MB of classes. In fact, the code I snagged from above comes from about 1100 lines of code. See for yourself. I especially liked the ‘hasHeartbleedVulnerability()’ method. Why do they want to know that? Later exploitation?

Going through the licenses.html file in the apk file, theres a software suite missing.



See it? Stericson.RootTools

Google helps:



Why the hell would they need this? I know I keep asking questions, but here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff.

[Correction] They use REST, not webdav. Thanks to everyone who pointed that out. Derp.

Like I said before, there’s a lot of data here to go through. Maybe Uber evil. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.

Stay tuned for my next post, its gonna be good. I know I said that last time, but this is more of a blog post than an actual post.