"Writing is always possible from an app using normal rendering services, which draw to framebuffer on your behalf," he told ZDNet.
"Reading allows you to look at the device's screen."
Todesco said it was the equivalent of giving Uber the ability of keylogging - the use of a computer program to record every keystroke made by a user, especially in order to gain fraudulent access to passwords and other confidential information.
"I find this very frightening and dangerous," he said.
The Apple expert added the feature also "paints a pretty big target on top of the app" for hackers looking exploit the permission.
An Uber spokesman said that the code had been implemented to improve rendering on its Apple Watch app.
"It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production," the spokesman said.
"This API would allow maps to render on your phone in the background and then be sent to your Apple Watch."
Uber said subsequent updates to the Apple Watch and its own app had improved rendering, so the company would be removing the function completely.
This isn't the first time Uber has been exposed for privacy issues, with The New York Times reporting the company had violated Apple's rules after it was discovered it had been tracking iPhones after the app was deleted.
Strafach said he was shocked to see that even after Apple chief executive Tim Cook threatened to kick Uber out of the App Store, the company somehow managed to convince "Apple to let them have exclusive access to this privileged entitlement".
"It seems they got special treatment and do not want to directly admit it," he said.
Apple is yet to comment.