Here's our next app we're going to tell you about. We bet you're flying and travelling everyday, right :) ? So, this app Anywayanyday might be in your pocket as well.

Let's see what it offers for customer and get the quote from the market app page.

Anywayanyday is a free iPhone and iPad application from anywayanyday.com, an online service for buying air tickets and making hotel reservations all over the world. For your every request the system analyses offers from more than 800 airlines and 330,000 hotels worldwide and finds the optimal ones. Searching, choosing and paying for an air ticket or a hotel take on average about three minutes.

iPhone version • Convenient air ticket and hotel room search; • Voice data input; • The flight options are filtered by price, departure time, arrival time, airports, transfers; • The accommodation options are filtered by price, accommodation type, stars, services; • Pre-booking and booking cancellation directly from the app; • Payment for air tickets with bank cards and in cash in mobile phone outlets; • Payment for hotels with bank cards; • Several discounts usable on the same order; • Personal account: ◦ memory book; ◦ order lists; ◦ detailed order information including booked and issued insurance policies; ◦ payment cards data; ◦ your personal and profile data; ◦ bonus account information. • Flight itinerary and/or hotel voucher sent per email and texts with payment confirmation; • Ticket exchange or refund directly from the app; • Issue of insurance policies against flight cancellation and for flight duration (while buying a ticket); • Push-notifications with latest news and special offers from anywayanyday; • Sending reviews and suggestions to the Anywayanyday development team directly.

iPad version • All iPhone features are available except for hotel booking which is coming up in one of the next releases; • Interactive map provides you with additional data about weather, currency rates, flight durations, hotel offers for your destinations; • Flight offers are sorted by price starting from the cheapest one; best price offers are always first and singled out.

So, features list is really awesome, you can do almost everything and find many useful things like pre-booking or storing loyalty information. We think you already figured out what this app intended to do - storing and transferring lot of information. Redundant data is the biggest problem of modern apps, especially when it comes with lack of developer's logic. This app downloads all data stored on developer's server to your mobile device and gives almost nothing in return. Can you access your app while you're offline? Of course not! But the data download and STORED just in case, no idea why it works this way many years. Also, if you're online even, you don't need to have all data downloaded at the same time, because you're not purchasing flight or editing your notebook filled by your passport data. Maybe you just need to stare at your flights and its count? We mean, all amount of data re-downloading almost per each request without any real matching with specific feature. How is it supposed to work. You press 'flight button' and your flight list is downloading (only list or list with details per each flight, doesn't matter match). If you pressed 'notebook', your passport data is downloading then. But if all data download on each logging into your account then it must be accessed offline.

How much data do this app stored, transfer and operate? Data groups includes your passport information, financial and transaction information, account and credentials information, device and media information and ads & analitycs information. You can find this information on the first pic attached to this post and available via Pinterest. Second pic shows what specific data types assigned to each group were found in this app. You may noticed that averages score isn't high enough but a bit unusual. Let's discuss results.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found.

Locally stored data (DAR). All items have the same level of system protection that equals 6 and don't have developer own protection techniques implemented except one time - card short information. That's why it a bit above average value = 3 and equals 3,13. This type of information contains information about cards (except CVC) you locally saved in app and it's encrypted with AES even. Since 2013 the key size had been increased from 192 up ot 256 bits, however the key can be easily found and it's not unique. This is only data type somehow protected by developers. Rest of data types stored in plaintext app folder and protected only by sandbox. It includes your credentials (password too), your profile, passport data and analytics' info about your device. This is good protection, because it means your data can be extracted from backups according to wide available tools. However, as we mentioned above, if you have jailbroken iOS device it decreases level down to 0. Also, keep in mind there're lot of non-public solutions how to get your data. Warning, if your iOS < 8.3 this data can be accessed without jailbreak even. Since 8.3 this vulnerability was fixed, however it wasn't officially vulnerability almost 4 or 5 years ;)

Transferred data (DIT). All items have the average value 5 points. However, the average system DIT protection is only 4, while developer one (DIT OWN) is 6. What does it mean? Medium protection level (4 points) is usual average value for many apps that indicates the OS has alerts about non-trusted certificates and doesn't fail with fake certificate verification. However, it fake certificates is in OS, nothing help to prevent MITM attacks except developers security mechanisms Note, iOS had issues with it but fixed it since 9.1 released. To compare with iOS, Android OS didn't have this technique until OS 5 released. Transferred data includes your credentials (password too), your profile, passport data, full card information (with CVC) and analytics' info about your device and its environment. These data types are mainly protected from developers side. Rarest and good case. A proper implemented the fake certification validation technique paired with fixed vulnerability by Apple helps to protect customer data and prevent MITM attacks but only for iOS >= 9. In other words, same application installed on older iOS < 9 don't protect your data at all. Warning, this kind of protection can be patched even for updated iOS if you downloaded and installed application from non-official market or another place or got modified build of this app by non-official way, e.g. it pushed under corporate EMM IT Policy or you just have installed non-trusted profile that let to install non-official apps.

Good news, no worst protected data type were found; bad news, no best protected data types were found in terms of protection. Why weren't best protected found if the average value is 5 points? Answer is, both values of system and own protection levels should be more than 5. However, customer may found it's appropriate result as well.

Once again, keep in mind, that the latest app version and build was examined on the last iOS and if you use older iOS version < 9 you might have found that app doesn't secure enough and data might be accessed without actions from you side (= the average level for transferred data would be equal 2). Also, older iOS versions < 8.3 don't provide enough protection for app data locally stored to allow access app data (except system like keychain) without jailbreak access. And, even good but template-based MITM protection could be patched too.

#AppStore #iOS #privacymeter #privacymeteronline #leakage #appdata #Anywayanyday