Uber labelled “literally malware” following data collection reveal

Taxi app Uber has been called “literally malware” by users as they discovered at what lengths the app will go to in order to collect private information.

A group of users on Hacker News reverse-engineered the app while Uber’s website went down for routine maintenance. They discovered a piece of code embedded in the taxi app that sends far more information than necessary back to the company.

The data sent back includes email logs, app activity, device information, MMS data, SMS data, call history, WiFi connection, malware status, battery health, network data and SIM ID.

It was also discovered that the app checks if your device is rooted or jailbroken. On top that it scans for vulnerabilities to the infamous Heartbleed bug. Why Uber would need to know these details is anyone’s guess.

According to a blog post, the code that sends all this information home contains 1100 lines.

“Why is this here?” wrote the blog’s author. “What’s it sending? Why? Where? I don’t remember agreeing to allow Uber [access] to my phone calls and SMS messages.”

According to the app itself, Uber needs access to your identity, contacts, location, phone, photos, camera and WiFi networks. There is no mention, however, of it needing to use SMS history. The app includes an FAQ for those worried about what it might be collecting.

In a statement to Cult of Mac, Uber sought to address some of these concerns:

“Access to permissions including WiFi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”

Uber is not the only taxi app that collects large chunks of information. Lyft, its closest competitor, needs almost exactly the same permissions, except where Uber requires Wi-Fi Lyft requires SMS data.

Currently there is no solid evidence that Uber (or any other taxi app) is actually collecting all the data it is supposedly sending back home. It is, however, a worrying spotlight on the fact that there are no strict regulations on what an app can’t grab from your phone once you’ve clicked that “agree” button.