Uber's 5min and iOS 11

Sep 12, 2017 4:26:52 AM / by Himanshu Dwivedi

In the fall of 2016, Uber inserted a feature in its mobile apps allowing the company to track user location approximately 5 minutes after a recent trip had ended.  The feature came with a whirlwind of controversy, as many riders felt it was an invasion of their privacy, especially since the 5 minutes after an Uber trip would probably pinpoint the exact location of a person’s home, office, or some other private location. While Uber may have had good intentions, the company did not share the benefits of the feature with the general public, nor did they disclose the feature itself (it was made public by 3rd party sources outside of Uber). This feature, among several other things, hurt Uber’s image as it pertains to end-user privacy.

uber blog pic 1.png

Springing ahead to fall of 2017, Uber announced it would shut down the post-ride tracking feature, which came a few days after the announcement of Uber’s new CEO Dara Khosrowshahi. It was marketed as a measure to focus on privacy and transparency, and it was good timing to coincide with the new CEO.

Upon a closer look, we wanted to technically chime in on the situation too. While we have no doubt Uber is pulling this feature for the right reasons, requirements in iOS 11 might have had something to do with the change as well. On iOS, an app can give an end-user three different options about location tracking, which includes Always, While Using the App, and Never. Quick definitions are below:

  • Always: An app can always track a user’s location (even while running in the background)
  • While Using the App: An app can track a user’s location only when the app is in use (e.g. only when it is in the foreground)
  • Never: An app is never allowed to track a user’s location

Pre-iOS 11, an app was NOT required to provide all three options; therefore, an app could provide only two choices, such as Always and Never. While these two options seem okay on the surface, it backs riders into a corner with apps like Uber, as they now have to choose between privacy or a terrible user experience. For example, the option of “Never” forces a rider to type their source and destination address for each and every ride, essentially a non-starter for most people (imagining not knowing where you are, and then trying to find the cross street or street address of your location). This terrible user experience would force riders to select “Always”, giving Uber enough access to enable the post-ride tracking feature, which would otherwise be impossible if the rider was given the 3rd option of “While Using the App”. Thus, by giving riders only two options, one  bad for privacy and one bad for user experience, it forcing most riders to select “Always”, granting Uber unlimited access to a rider’s location.

Noticing this problem, Apple made a change to iOS 11 which requires an app to provide all three options to end-users, including Always, While Using the App, and Never.

uber blog pic 2.png

The new requirement from Apple will force Uber to provide the “While Using the App” option as well, which will probably be the option of choice for most riders. Assuming this is a correct guess, any data Uber was collecting with the “post ride tracking feature” will sharply disappear once the end-user ends the ride, as data cannot be collected anymore if the app is not in use or in the foreground. Thus, while we feel Uber’s removal of the post-ride tracking feature was probably made for the right reasons, it is an interesting coincidence with the iOS 11 requirement that basically forces the same thing onto Uber.

In fairness to Uber, Data Theorem scanned all iOS apps in the App Store to see which other organizations were giving end-users the two bad options as well (“Always” and “Never”). The list was quite interesting (and already available to all OpenScan customers in the Data Theorem portal). If you are an app publisher and interested in the details of your own app, contact us for the results (free-of-charge). We will also provide secure code to your developers in order to help them adhere to current and future security & privacy requirements in iOS 11.

Monitor Your Apps  LEARN MORE 

Topics: Mobile App Security, privacy, Apple

Himanshu Dwivedi

Written by Himanshu Dwivedi

CEO of Data Theorem, Inc.