For its use of spying technology and the allegations of workplace sexism that have dogged it since February, Uber has managed to alienate and sometimes infuriate scores of people, and that includes Apple CEO Tim Cook. The ride-sharing monolith tracked users even after they had deleted the app, in a clear violation of Apple’s privacy rules, reports a New York Times profile of Uber chief Travis Kalanick.
Uber claims its use of subterfuge was a way to ward off fraudulent activity on the app, namely in China. Drivers in the country often stockpiled iPhones and requested multiple rides using stolen credit cards -- a scheme used to make more money through company bonuses. To circumvent this, Uber would “fingerprint,” or use a Unique Device Identifier [UDID] to track phones participating in the ruse. Apple banned apps from using UDIDs in 2012, but Uber continued to fingerprint phones for years, leading to the meeting between Kalanick and Cook in 2015.
According to the Times report, Cook summoned the Uber chief to the iPhone maker’s Cupertino, California headquarters for a meeting, wherein he told Kalanick: “I’ve heard you’ve been breaking some of our rules,” and threatened to remove Uber from the Apple app store -- a stern warning that would have signaled certain catastrophe for the ride-share company.
Cook’s admonition was warranted, based on intel presented by the Times: Uber’s engineers prevented anyone who opened the app at Apple’s main campus from seeing its fingerprinting code, a process known as geofencing. Other Apple employees who work elsewhere soon caught on to the premise though, leading to the terse exchange between the company leaders.
Will Strafach, a security researcher who analyzed a version of Uber’s app from 2014 in response to the story, discovered that the company may have used special code to track users, telling TechCrunch in an email:
“They have code to nab a few things from the registry, but the only persistent identifier they actually use appears to be the device Serial Number.” Serial numbers are found in an iPhone’s Settings, and don’t change even if a device has been wiped and updated with a new account. The most recent iOS, The Guardian reports, doesn’t allow apps to track an iPhone Serial Number, so Uber’s scheme would have eventually been foiled anyway.