There's perfectly reasonable explanation for almost all of these permissions, and there's nothing in this analysis that suggests they're doing otherwise. The only one that I couldn't think of was WRITE_SETTINGS
Permissions
ACCESS_COARSE_LOCATION & ACCESS_FINE_LOCATION: Fairly obvious, they need to figure out where to pick you up
ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE , INTERNET: They need to figure out if you have internet and use it
WAKE_LOCK: Keep the network running so you can get real-time updates about your driver
GET_ACCOUNTS, USE_CREDENTIALS, MANAGE_ACCOUNTS: For logging in with Google
CAMERA: You can take a picture of your credit card for easier entry
CALL_PHONE: So you can call your driver
MANAGE_ACCOUNTS: So they can add your uber account to your phone
READ_CONTACTS: Probably for inviting friends or splitting ride costs
READ_PHONE_STATE: Legacy analytics reasons
WRITE_EXTERNAL_STORAGE: Probably unnecessary, but they are probably just storing data
VIBRATE: For notifications
The rest are for push notifications
As far as the roottools, I know Crashlytics checks for root so they can provide that data in their console for crashes. It's a pretty useful thing to be able to weed crashes from rooted devices out. They usually make very little sense and violate the advertised behavior of the SDK.
Side note: Wouldn't it be good if Google required all apps to explain why each permission is necessary, similar to this?
It would also be good if users could install the app but without approving the full set of permissions. Developers would have to catch an exception, but it's worth it. (Supposedly with one of the recent Android releases this feature was planned and made it to some users but Google quickly reverted.)
The system in iOS is still not enough because the app knows if you declined, so it can keep asking you ad-nauseam until you either accept or until you uninstall the app. For example Facebook's messenger asks for being able to show notifications every time you load the UI.
It would have been good if there was a way to lie to the app. For example if it wants access to your contacts, it could get a blank list.
Of course, it is much easier to not use such apps in the first place. Uber is not alone in doing this and personally I take it as a signal of how I'll be treated as a customer.