Apple authorised API allowing Uber to record users’ iPhone screens

Apple often takes a strict approach to security, but an apparent slip-up authorised an API which allowed Uber to record users’ iPhone screens.

Security researcher Will Strafach made the claim saying the powerful ability would allow Uber to record the screen even when it’s running in the background.

The ability comes from what Apple calls ‘entitlements’ which allow app developers to do things requiring special privileges such as interacting with iCloud or Apple Pay. The screen recording entitlement was designed to improve memory management on the Apple Watch.

Strafach highlighted the entitlement is not common and would have required explicit permission from Apple to use. In fact, he was unable to find another app live on the App Store with the capability.

“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said to Gizmodo. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”

On several occasions, Uber has been accused of questionable practices. For example, just earlier this year it was accused of using a ‘Hell’ software program for industrial espionage against Lyft. The company also recently had its license revoked from operating in London over concerns about its conduct including the failure to report drivers accused of sexual assault to police.

Uber claims Apple authorised use of the API when the Apple Watch debuted to meet deadlines to get their app working on it.

“Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering. It’s not connected to anything in our current codebase,” an Uber spokesperson said.

Following the researcher’s discovery, Uber says as the permission is no longer in use it will be removed from the app.

Are you surprised Apple provided Uber with this functionality? Let us know in the comments.

Developer demonstrates ARKit for 3D finger painting

A developer has demonstrated the use of ARKit and Vision for performing 3D finger painting in augmented reality.

The developer, Osama Abdel-Karim, demonstrates how a user could draw in the air similar to as if they were holding a pen. The ink will then magically appear on the surface. You can even add an effect to make the drawing into a 3D object.

Of course, it’s not actual magic powering the experience, but rather a form of wizardry from Apple’s software. In particular, the ARKit framework paired with an iOS 11 tool called Vision.

“I believe AR has always been missing two key technology leaps to make it useful: usability and immersion,” says Abdel-Karim. “We are heading towards a new AR hype peak very soon.”

You’re probably aware of ARKit as it’s been demonstrated on several occasions:

Jamf and Microsoft partnership latest to focus on Macs in enterprise

More evidence that Macs in the enterprise are gaining prominence: Jamf, an Apple-centric mobility provider, is partnering with Microsoft’s Enterprise Mobility + Security (EMS) for Mac security after an announcement at Microsoft’s Ignite event.

The move means authorised users are prevented from using Macs which are either personal, unmanaged, or otherwise not compliant with security policies.

The process sounds complicated but is relatively straightforward; users register their devices they want to use to access applications connected to Azure Active Directory. Compliance is established in Intune, Microsoft’s mobile device management tool, before the criteria is established on the Mac device by Jamf. This information gets sent to Intune, before Intune compute the device’s compliance state and puts that into Azure AD for evaluation.

“Organisations are often overexposed today. More and more, corporations have Mac devices, but they aren’t necessarily managed,” said Joe Bloom, Jamf product manager. “Further, leveraging only traditional login methods makes it hard for organisations to ensure that all of the data and email passing through Office 365 or other corporate applications is indeed secured.

“With Microsoft EMS and Jamf Mac management, organisations can validate user credentials, while also confirming a Mac is managed and compliant before granting access,” Bloom added.

As regular readers of this publication will testify, this is not the first company to focus on this issue. In its most recent Apple release last month, MobileIron said it was focusing on Macs, with Ojas Rege, VP strategy, saying that it was a ‘perfect storm’ for Apple devices. “Our goal with this release is to enable our customers to offer Macs across the entire employee base, as a corporate authorised platform, that we can secure with the full MobileIron security and access model,” he said.