From a reddit comment:<p>> The permissions you see on the install screen are actually triggered by various permissions in the permission group. I've checked Ubers (there's a button on the web play store and you can see it in the manifest), and the only one from the Device and App History group they actually use is "GET_TASKS", or get a list of recently opened apps.<p>> Furthermore, on Lollipop this permission doesn't even do anything anymore. The relevant function in the framework has been changed and only returns instances of the caller's own app now. So Uber can see when you last used Uber. Big deal.<p>> Basically, this is a big fuss for nothing. Uber is not accessing your browser history, and if you're on Lollipop or above they can't access your app history either. They may do that on lower versions, but it's most likely to counter buggy behaviour on those older verions and not to spy on you.
Multiple comments here parroting the "this is a non-issue on Lollipop or later" defense. Per Android's own statistics [1], that leaves 60% of users vulnerable to excessive permissions.<p>1: <a href="http://developer.android.com/about/dashboards/index.html" rel="nofollow">http://developer.android.com/about/dashboards/index.html</a>
Uber engineer here. These permissions were mistakenly introduced by an engineer on the team who thought a 3rd party library needed them when in fact it does not. We definitely do not need or want those permissions and we’ve promptly released new versions to the Play Store that do not request them. Please upgrade to Uber app version 3.98.3 (3.99.2 in the beta channel) which no longer requests the extra permissions.
This permission should just simply not exist. I had two games and an another app. The browsing history was, in this case, used for targetting ads. I did not need the apps and uninstalled the apps (it was around 2 years ago, on previous version of Android I think).<p>The apps on Android should be sandboxed and not be given this kind of permissions, that's all.
Very unnecessary overreach on android permissions..
Will be interesting to see how many of the fans of uber here on hn will try to spin this.<p>Just forwarded to some friends, they are uninstalling the rogue app as I type this!
My Samsung phone came with the Uber app baked into the ROM. Fortunately I know enough to disable it, but I can't completely uninstall it. And most users will be prompted ad infinitum to update until they give in.
After a long break from Uber I opened it up to price compare against Lyft. I switched between the two apps and then uber offered me two free rides. It seemed like it was detecting that I was hesitating to "come back" to Uber.<p>I use Android Lollipop and even if the permission didn't allow them to see I was using Lyft, I wouldn't be suprised if they're trying to re-engage "hesitating" users and are snooping for whatever data they can.
I've said it before but I'll say it again: this is why you create a second throw-away Google account and use that to create a new profile on your phone dedicated to snoopy apps. Seriously: screw anyone that thinks harvesting my personal data is the cost I must pay for a cab ride.
Google released, then withdrew, an interface for revoking and limiting application permissions. On existing Android devices. Three years ago.<p>We know they can do this. We also know they don't care.<p>The challenge is to make them care.<p><a href="https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them" rel="nofollow">https://www.eff.org/deeplinks/2013/12/google-removes-vital-p...</a>
My copy of Uber just updated and it doesn't seem to be requesting any of these permissions. I'm on Marshmallow, and on the permissions page these permissions are not there. Version 3.98.2 of Uber.<p>It's possible that these permissions are used in some obscure place in the app. With the new permissions system, you can progressively request permissions when you need them, so it's possible it will request these at some point in the future, but the app seems to run OK without them.<p>I also disabled access to contacts, which the app does request for some reason.
this is why I don't use an android device as my primary phone, even though my perception is that you get rather more bang for your buck, hardware wise, on android phones, and even though the samsung gear VR looks like someone implemented one of my less-realistic fantasies.<p>On IOS, yes, uber asks for access to my contacts list, I click 'no' and uber works just fine (modulo the 'spam my friends' feature, which I didn't want anyhow.)<p>On an android, my understanding is that I've gotta chose between giving uber permission to spam my contacts list and simply not using uber, which is sad, because uber is way more convenient than a yellow cab.<p>This contributes to the perception that because IOS is paid for up-front, apple is willing to do things that might make apps less profitable, if it makes those apps better for the users, but that Android, because it is paid for by advertising, is less willing to side with the user against the app providers/advertisers.
I don't even understand why Android would even let then happen. I can't even think of desktop apps that try to gain access to your history or bookmarks let alone a mobile app.<p>One time bookmark import is a thing I suppose, but that's different than gaining permanent access once granted.
I hate that AI support-replies are a thing. He sent a serious mail, and got a bogus reply back. I've had the same issues myself with other vendors, for instance Steam.
Props to whoever's responsible for itemized permissions requests on install/update--stories like these probably wouldn't exist without it.
So this is information about Uber app that I found in some blog:<p>-------<p>Android Uber app code has many suspicious places. For example, it contains a namespace "com.baidu.frontia" and classes there include such code as:<p><pre><code> localObject = ((TelephonyManager)localObject).getSubscriberId(); // gets IMSI
((TelephonyManager)localObject2).getDeviceId(); // gets IMEI
localObject1 = ((WifiInfo)localObject1).getMacAddress();
public static void makeCall(String paramString)
public static void sendSMS
</code></pre>
Also there is the code that collects information about cell towers, mcc and mnc codes, scans wifi networks.<p>I looked quickly through the code and it seems that those methods are never called. They are probably just a part of a library not used in this app. Uber mostly uses baidu maps, authorization and payment API.
How about make apps show us the data they collect and if they dont they dont get access to the store. Google has an pretty awesome page that lists all that crap they collect on you and you can delete it from there.<p>On the google store site.. when browsing apps, there should be a tab on every app page, where i can see a sample of what it collects and a declaration of what it does with that data.<p>after installing the app, in the app manager, i should get a tab where i can see what its grabbing from me.<p>right now we got strangers going into our bedrooms borrowing something they wont tell us what it is.<p>and really permissions dont help a lot when it comes to this. Yeah my bookmark dup cleaner has to access my bookmarks to clean.. so i give it the permission, but does it keep them? does it sell them? i dont know permissions arent that detailed. if there was a privacy tab that i could check...then i would know.<p>People hide nanny cams to watch the nanny. Its because they gave her permission to have access to the house and kid and such.. the cam is like my privacy tab. it makes sure she doesnt abuse the permissions. We KNOW she needs access to the house and kid to do her job.. we just dont want the kid molested. well I dont want my data molested.. So google please give me an app nanny cam.
I believe the browser history lookup doesn't work anymore (I tried recently on 5.0 I believe). Also, many of the Android permissions are unecessarily broad, I think that really would be a good thing to fix. Oftentimes you only need some specific function, but have to request a much broader range.
I'm really starting to worry about this as an Android user.<p>If I want to keep control of my privacy there are so many apps that I can't trust to install. Even little dinky games are asking for access to contacts and messages and all sorts of other things.<p>An application on a desktop computer that steals data from your email application and sends it back to base is called "Malware". On Android, this is called "business as usual" from what I can tell. I don't know the app developers' reputation, I don't know anything... Except that someone in some other country has unbridled access to my phone.<p>As a result there are many applications I want to use and I just don't install.<p>It's not very cool.
Anyone who knows android dev knows this is a non issue. The permission they request doesn't even do anything in lollipop and later.
Sounds more like a bad dev than anything malicious.<p>What's the saying? Never attribute to malice with what can be explained by stupidity?
Crazy town app permissions are what keep me from using Android. I really wouldn't be able to install half the apps out there that ask for all sorts of permissions that are frankly obnoxious.
Uber could provide much more than a point to point ride service in its current traditional sense <i>if</i> users are willing to give up more data. For example, it could provide user a tour/travel experience to match with the proper driver if it knows you are traveling. Or send you off to a nice dining experience if it knows you are a foody, etc.
Just switch to the mobile web. Same capability, same interface, no intrusive permissions requirements.<p>Add it to your homescreen and you even get the glorious U logo back!<p><a href="https://m.uber.com/" rel="nofollow">https://m.uber.com/</a>
I have often wondered why Android don't categorise or have some mechanism to allow users revoke permission later. I have been a long time Android user but recently started using iPhone. I don't like iPhone for many reasons but then the control you have on turning on and turning off location, data connectivity, access to photos etc from one screen is really something you should have on all device. I felt the need of this, when Facebook asked for permission to read my messages.
Didn't Uber just admit to giving Feds their data on all their users?<p>What's the thought on Uber having access to such data as browsing and passing that along to the feds too?
Interesting that the headline leaves out the fact that this only applies to poor, security-less Android. Less sensational that way, I guess. (And less accurate.)
With Marshmallow, you can just turn off or deny certain permissions. So for most people who really want to run the Uber app, the question is really whether it runs OK without all these permissions.
Hmmm. Nobody talking about other apps that do this? Talking about Tinder[1] for example. They require "Device ID and cell information" too.<p>[1]: <a href="https://twitter.com/manu29d/status/710883865955422208" rel="nofollow">https://twitter.com/manu29d/status/710883865955422208</a>
Edit: interestingly, this comment had five points before the uber fans modded away. Easier to click down then explain rogue apps I suppose...<p>They were lucky they didn't try the beta version of the new forthcoming uber app - that version wants access to the phones of all your friends, family, neighbours, your postman, the sister of the locksmith that helped you get the spare key last year, and the chap you met on the train to work last week called Brian. Still, go uber!
Come on guys, where are the academics? Instead of overreacting please just reverse engineer, get the facts and check WHY the Uber app actually requests these permissions. I mean, it's still Java, so you got the source. I don't think they're using native code or do more obfuscation than the average app (disclaimer, haven't checked (yet)).
Who's first?
If you have any questions, you can write Uber at privacy@uber.com.<p>-iOS App Permissions
<a href="https://www.uber.com/legal/other/ios-permissions/" rel="nofollow">https://www.uber.com/legal/other/ios-permissions/</a><p>-Android App Permissions
<a href="https://www.uber.com/legal/other/android-permissions/" rel="nofollow">https://www.uber.com/legal/other/android-permissions/</a>