The Microsoft Store Uber App (Windows Phone Architecture) does not properly implement certificate pinning.
Layer-2+ network traffic transmitted from and received by the app can be surreptitiously intercepted and transparently modified by an attacker, with no warnings or errors presented to the app user.
A transparent Layer-2 MITM proxy was configured between a device running the most recent release of the Uber app for Windows Phone Architecture and an Internet gateway. Self-signed certificates were asserted on behalf of the remote systems that the app communicated with. All traffic transmitted and received by the Uber app was able to be captured and then modified transparently, without any notifications or certificate warnings sent to the app user.
In this scenario an attacker has the ability to modify a rider's profile, to access previous trip histories, to schedule and/or cancel Uber driver dispatches, and the ability to access and/or modify stored payment information.
Driver functionality was not tested. If the Uber Driver role is also implemented within the Microsoft Phone Architecture Uber App, then all functionality encapsulated within the app as relates to driver functionality could be surreptitiously observed and/or transparently modified as well.
This particular vulnerability can be implemented as an ARP cache poisoning attack, making it especially relevant to Uber riders who utilize wireless access points at public hotspots to dispatch Uber rides.