Monday, April 24, 2017

Uber Used Private API to Access iPhone Serial Number

Mike Isaac (Hacker News, MacRumors):

For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple’s engineers. The reason? So Apple would not find out that Uber had been secretly identifying and tagging iPhones even after its app had been deleted and the devices erased — a fraud detection maneuver that violated Apple’s privacy guidelines.

But Apple was onto the deception, and when Mr. Kalanick arrived at the midafternoon meeting sporting his favorite pair of bright red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve heard you’ve been breaking some of our rules,” Mr. Cook said in his calm, Southern tone. Stop the trickery, Mr. Cook then demanded, or Uber’s app would be kicked out of Apple’s App Store.

Why did they do this?

At the time, Uber was dealing with widespread account fraud in places like China, where tricksters bought stolen iPhones that were erased and resold. Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way.


Mr. Kalanick told his engineers to “geofence” Apple’s headquarters in Cupertino, Calif., a way to digitally identify people reviewing Uber’s software in a specific location. Uber would then obfuscate its code for people within that geofenced area, essentially drawing a digital lasso around those it wanted to keep in the dark. Apple employees at its headquarters were unable to see Uber’s fingerprinting.

Some thoughts:

Update (2017-04-30): See also: Accidental Tech Podcast.

12 Comments RSS · Twitter

"Despite the blatant violation and deceit, there was no punishment."

I find this utterly appalling. If Apple didn't want to permanently ban a major app, they still should have banned them for a month or two, just to make a point.

"There definitely seem to be different rules for different developers. Smaller developers get their apps pulled from the store"

Of course. And that's always going to be there. It's just the complete lack of punishment for Uber that appalls me.

"That said, it’s got to be a tough situation for Apple to be in. They’re trying to protect their customers, but denying them access to an important transportation service would harm them far more than what Uber did."

Here, I think you're dead wrong, Michael. Banning the Uber app from iOS permanently would've hurt Apple a bit, but it would have literally killed Uber. And I do mean literally; the company would have gone out of business. The two companies had very different stakes in the game here. If Apple had banned Uber for merely a month, with the duration announced ahead of time, it would have caused only very, very minor damage to Apple, but major damage to Uber, and would have ensured that no one would have ever tried to screw with Apple in this way again.

"The store is full of apps that flout the rules, but I don’t think Apple could ignore the geofencing."

Yup. The geofencing is where it goes from skirting around the rules to intentional fraud. (And not about Apple, but worth noting that Uber has a track record of these type of shenanigans.)

@Chucky Yeah. The rules are totally clear that deceit means you get expelled, i.e. your other apps, too. Instead, nothing.

What I was trying to say in that sentence was harm to the customers, not to Apple. I fully agree that a ban would have been devastating to Uber. (Perhaps they could have been reincarnated under a different corporate entity with a “new” app.)

Did Uber already have that track record in 2014/2015?


Harmed the customers is MT's point. But I think there would have been a substantial PR hit for Apple, too. Some obscure rule gets broken -- the narrative goes -- and you shut down a major form of transportation for a month? Cripple the company? That would not play well.

But if you’re Uber, you get a one-on-one meeting with Tim Cook, your app stays in the store, and your customers are kept in the dark

Well, now, I do wonder who the source for the article was -- if it was Kalanick & Cook in the room together, it wasn't Kalanick telling the Times about it, with exact quotes, and everything.

Like Chucky, I find Apples response quite appalling. There is so much rule violation going on.
How can I further trust Apple that it will act honestly if another “flashy”, “Fashionable”, TBTF corporation does the same?
(I never used Uber and never will)

@Michael (comment)
> Did Uber already have that track record in 2014/2015?

Check the Pando archives - threatening journalist Sarah Lacy amongst other things; their more than questionable treatment of their employees (hmm, contractors…).

@Total Yes, I’m sure there’s a fascinating story about how this story got to the NYT. I don’t really see Apple’s motive for talking since it doesn't make them look that great. Maybe someone ex-Uber knew of the meeting and then Isaac asked Kalanick about it. Do they need to have someone on record who was there in order to use quotation marks?

[…] Uber. I don’t quite understand how WeChat is allowed in the App Store in the first place; […]

[…] don’t trust Uber to use this entitlement responsibly. Nor do I trust App Review to be able to police how the […]

[…] Uber Used Private API to Access iPhone Serial Number […]

[…] don’t think anyone actually believes this. If a small developer did what Uber or Facebook did, they would have gotten more than a slap on the wrist. It’s also important to […]

[…] from App Review by geofencing, and was not punished for this blatant privacy violation. As Michael Tsai […]

[…] link mentions that Uber allegedly used a private API (IOKit) to access device serial numbers from their […]

[…] You can quibble with Spotify’s attempts to work around in-app purchase rules — it is obviously trying to challenge them in a very public way — but it is Apple which has such restrictive policies around external links, down to how they may be described. It is a by-the-letter reading to be as strict as possible, lest any loopholes be exploited. This inflexibility would surely be explained by Apple as its “level playing field”, but we all know that is not entirely true […]

Leave a Comment