uber_employee_settings_cover_photo
Technology

How I Accessed Employee Settings On Uber’s App

While debugging an upcoming app of mine, I accidentally got a closer glimpse into Uber’s iOS app internals. I was surprised by what I found and how easy it was to accomplish my findings.

Method of Discovery

I began by firing up Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. Because my lifeblood is building client-server applications, I am a religious user of Charles to aid me in my daily development tasks. I usually route all traffic between the internet and my iOS device through my machine by setting it up as a proxy. While inspecting and debugging the network traffic of my app, I needed a ride so I fired up the latest version of the Uber app and suddenly began receiving requests/responses their app was making/receiving, so I decided to take a closer look.

Uber utilizes SSL in their requests, so if inspected in their raw format, the request would look like a bunch of gibberish, but with Charles, you are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, I noticed a request made every 5 seconds.

uber_requests

One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices. Upon inspecting the response, I discovered the key isAdmin, which was set to false for my particular account. Charles allows you to define rewrite rules, so I rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. I perused through the app with the new value applied… lo and behold, I stumbled upon the Employee Settings screen from the About screen:



Uber Employee Settings Menu (Thumbnail)

Uber Employee Settings (Thumbnail)

Uber Fake Views (Thumbnail)

As you’ve probably noticed, Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.

As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only. By assigning the UI display logic to the client, they are allowing for discoveries such as the one exposed in this post. Take a deeper look at the apps you use with Charles, you may be surprised at what you find.

[cover photo PSD courtesy GraphicsFuel]

(Visited 2,579 times, 1 visits today)
Previous Post Next Post

You Might Also Like

6 Comments

  • Reply Stumbling Upon an Uber Vulnerability | Hackaday February 27, 2015 at 7:01 PM

    […] developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and […]

  • Reply Tech News / Stumbling Upon an Uber Vulnerability February 27, 2015 at 7:20 PM

    […] developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and […]

  • Reply Stumbling Upon an Uber Vulnerability | Hack The Planet February 27, 2015 at 7:52 PM

    […] developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and […]

  • Reply Fennec February 28, 2015 at 3:45 AM

    Surely as an app developer, you realise that this is how administrator style interface are done in many apps? Just because you can change a flag to show an admin interface does not mean that the server will allow you to use it. I’d like to know whether or not you were actually able to use any of the admin menu’s features?

    In any case, they should still really only be sending down the admin menu configuration if the account that requested it is actually an admin. Not sure what the fools at Über are doing.

  • Reply JDL February 28, 2015 at 4:36 PM

    “your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS)”

    This statement is misleading in the extreme. In order for your proxy to decrypt the traffic you had to manually install a certificate on your mobile device. So while communication from *your* device can now be inspected, communication from my device or any other cannot.

    Now I do understand the point that you were trying to make; that someone willing to allow their traffic to be decrypted could, in the process, discover the existence of hidden UI features in the app that the author might not want to reveal. However making a blanket statement like the one above that is so easily misinterpreted as a fundamental security flaw is a disservice to your readers, and promotes fear and irrational behavior in people who are not technically equipped to see through the poor choice of words. This is already happening in the comments sections of other blogs that have picked up your story. Please take the time to amend your post to clarify your statement and clear any confusion.

    Also, a simple implementation of certificate pinning in the Uber app would have prevented your ability to MITM the communication between the app and their service. That observation would have been a worthy conclusion to your adventures reverse engineering.

  • Reply Friday Summary: More Cowbell | infopunk.org March 6, 2015 at 3:00 AM

    […] How I Accessed Employee Settings On Uber’s App […]

  • Leave a Reply