NO HE DID NOT.
Sorry for yelling, but it's an important point.
Yep, I didn't see the NextWeb response until after my post.
I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.
Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.
I re-read the blog post. I guess you mean in the comments section, where someone posts a link to the NextWeb article, GironSec responds:
I found code that might be used to spy. I didn't say they did. Hidden features.
Thanks for linking.
I don't see that GironSec supposed or assumed anything. The Gizmag blog post did, though.
GironSec did establish that:
- The Uber app includes a roottools library that can detect and use root access.
- The Uber app includes an semi-weaponized library that is marketed as anti-fraud protection for mobile banking
The next step would be to look through Uber's code and see where it calls these libraries and what triggers the calls. Regardless, this is worthy of security news (and is legitimate research). Uber is not marketed as an anti-fraud, anti-malware tool, and AFAIK it does not advertise extra features on rooted phones.