How I fixed vulnerabilities in Uber’s mobile app in minutes | Without coding

In preparing for APIWorld I came across a Forbes article about a vulnerability in Uber’s Mobile API which prompted me to ask the question: how secure are your Mobile APIs. I decided to have a look at Uber’s app myself and build mobile app and API Security into the Uber app using a no-code platform. I recorded a video showing how I secured the app. You can view the video at the bottom of this blog post.

Back to the API Security vulnerabilities found by the security researcher: The Forbes article explains how a white-hat security researcher was able to execute a complete account takeover of any Uber user’s account with little more than a simple API call using Uber’s mobile API. Lucky for Uber (and every Uber customer), Anand reported the vulnerability to Uber as part of a responsible disclosure program. It never made its way into the wild. But the ease of exploit and the magnitude of the damage that could have been done paint a picture of a very big problem.

Let me be clear. I’m not surprised that Uber’s API was not protected. I’d go so far as to state that a vast majority of mobile apps and their APIs have vulnerabilities, many of them significant or downright scary.

What surprised me was the sheer ease within which the attack could be executed, as well as the magnitude of the damage that could have been done. In the Uber example, the only piece of info that the attacker needed was any Uber user’s mobile phone number OR email. That’s it. With either, you could have executed a complete account takeover for any Uber user in the world. Automating this attack was also quite doable, whereby an attacker could replicate the operation and takeover Uber accounts en-masse — all in the span of a couple of minutes. YIKES!

An account takeover is one of the most damaging methods of attack because it enables the attacker to assume the identity of a legitimate user. They can lock the ‘real’ user out, escalate their own privileges, and access all of the seemingly protected and sensitive information within the account. In this case, the attacker BECAME the Uber user. I mean, an account takeover is like the “Uber of all attacks” (pun absolutely and shamelessly intended). And this one was Uber-easy. Here are the requirements needed to complete this attack:

  1. Uber mobile app
  2. Uber API docs
  3. Email or phone number of a known Uber user
  4. There is no 4. That’s it

Of the 3 things needed, 1 and 2 are publicly available and 3 can be obtained with very little effort. Don’t despair, at the end of this blog I’ll show you how easy I was able to secure Uber’s mobile app even faster than Prakash was able to break it (what do you expect? In my case, machines do the coding for me).

Attack Method — Exploiting a Lack of API Security

The researcher initiated a call to Uber’s API which included the phone number or email for any Uber user. The response from the Uber API included a highly sensitive data element in the payload in cleartext (ie: unencrypted). He then replayed the unique ID in another API call, combined with the valid email or phone number. And from there, he was able to access the secure authentication token, which was also not encrypted — another big no-no. Voila, you’re the proud owner of that Uber customer’s account in totality (and any other Uber customer you run the same attack on).

Here’s a laundry list of all the nasty things could be done:

  • Pinpoint the exact location or home address of any Uber customer
  • Access credit card and other account information
  • Get free rides
  • Escalate account privileges
  • Obtain authentication tokens
  • Feast like a champ on Uber Eats

Best Practices for Mobile App & API Security — No code required

Here are a few Best Practices you can follow to secure your mobile APIs and ensure that Uber’s near miss doesn’t become your worst nightmare.

  • Don’t expose more object information than necessary in API responses.
  • Encrypt all sensitive data in your mobile app, especially API Keys and API Secrets.
  • Never pass sensitive payload data in clear text or over unauthenticated APIs
  • Implement Data in Transit protection to ensure the validity of all certificates in your chain of trust. This will protect against MiTM attacks.
  • Don’t store authentication tokens in shared storage, and always encrypt the data.
  • Obfuscate your code and your app’s logic, as well as any native or non-native libraries. Hackers go after easy, high-value targets first. Don’t let your mobile app become ‘low hanging hacker-fruit’

Whether you’re a mobile developer, SecOps, DevOps, or just a non-coding product dude like myself, you can implement all the above and much more on Appdome — all without writing a single line of code. Like I say in every blog I write, don’t take my word for it. Create your Appdome account now and see for yourself. And many of you have considering the 30k+ apps built on Appdome.

Live Demo: Fixing vulnerabilities in Uber (in minutes, No coding)

As promised above, here’s a video showing how I used Appdome’s no-code mobile development platform to secure Uber’s app and mobile APIs in less than 5 minutes — end to end




ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Rig Exploitation Kit Infection — Malware Traffic Analysis

A Hacker: The Story of Falling Sideways

Current DDoS nano network attack and V23.1 fixes

{UPDATE} Profesör:Türkçe Kelime Oyunu Hack Free Resources Generator

5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Behind the Bug: Password reset poisoning

COVID-19 Mobile Consumer Survey — Security Expectations

Appdome’s COVID-19 Mobile Consumer Survey — Security Expectations

CISO Secrets: Delivering Consistent Infosec Value With Security Commits

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

More from Medium

11 Programming Languages Preferred For Mobile App Development

Lesser-Known Android Apps to Boost Productivity

Person opening an app on a phone

IOS vs Android Your best option

The Difference Between Designing Apps for iOS and Android