Mobile Apps: It’s Not Just Uber That's Fingerprinting!

Many apps ask for information and permissions at the time of installation to track user activity, and users often consent to these requests. However, when such an app is deleted by the user, such tracking should stop as well. Instead, using a technique known as fingerprinting, app creators can illicitly track mobile devices even after the app has been deleted, or before it is reinstalled.

Apple forbids such “phantom” tracking for apps in its App Store, but some app vendors claim they need to tag mobile devices even after app deletion to prevent fraud.

A recent high-profile case in point is Uber, the poster child for the “new gig economy”. The company’s tracking practices came to light after Apple engineers discovered them and made them public knowledge. Allegedly, Uber also practiced “geofencing” to virtually cordon off the Apple HQ and prevent Apple’s compliance staff from detecting the violation of Apple’s privacy rules. However, Apple engineers from other branches detected the tracking functionality in the Uber code.

Still more alarmingly, Uber is far from being the only app creator to engage in fingerprinting. Within just minutes of starting its search, Mi3 Security’s online Recon Platform found more than 300 other iOS apps that do the same. Financial, gaming, news and information, enterprise, airlines, health and fitness, entertainment, sports, education, social networking, and jailbreak tools are involved, not to mention iOS malware. Several Fortune 100 companies are affected, as well as organizations such as credit unions, who outsourced their app development to a central company, and ended up with the same or similar code in the apps for device tracking. 

While Apple has made clear its decision to outlaw fingerprinting, its bark may be worse than its bite. Apparently, Apple CEO Tim Cook summoned Uber chief Travis Kalanick to express disapproval of Uber’s policies, but without other significant impact on the relationship between the two companies. Following the scolding and from late 2016, Uber’s app then allowed it to begin tracking customers’ locations after the customers finished using the app, although in this case customer consent was required.

Uber’s side of the story is that it does not track individual users or locations if the app has been deleted, and that the tracking serves to prevent fraud in which a criminal installs Uber on a stolen phone with a stolen credit card, takes expensive rides, and then deletes the app from the phone. The company also says it tracks users for five minutes before and after their ride to increase accuracy of the collection point and user security after the ride.

The Apple-Uber saga suggests that privacy violation in mobiles via fingerprinting will continue to be a menace. However, it can be contained and even eliminated through suitable, rapid app analysis to identify illicit fingerprinting that uses, for example, Apple’s now-deprecated Unique Device Identifier (UDID) or dynamically loaded frameworks. App creators and companies concerned about possible app privacy violations due to fingerprinting code segments can contact Mi3 Security for further information and assistance.