Here's our next app we're going to tell you about. You love travel, don't you? We love much. So, we again took travel application to examine data protection degree. Today, we want to talk about Skyscanner.

Let's see what it offers for customer and get the quote from the market app page.

Search, compare and book cheap flights on the go with the award-winning Skyscanner Flights app!

Search millions of flights from hundreds of airlines instantly for free, making it easier than ever to find the best airfare.

With over 35 million downloads, our app is a must-have for the savvy traveler.

Independent and unbiased, we simply find the flight deals out there and transfer you to the airline or travel agent to purchase.

* GET PRICE ALERTS

* FIND CHEAP FLIGHTS

* GET INSPIRED

* REFINE SEARCH

* RECENT SEARCHES

* SEAMLESS EXPERIENCE

*FREQUENT FLYER MILES

* NO ADDED FEES

What's New in Version 4.11 We’re hugely grateful for all the feedback you’ve sent us – keep it coming! You’ve helped us make the app even better. We’ve fixed a few bugs and added several enhancements that make it slicker than ever.

This app was recently updated to v.4.11 on April 18th. We did our analyse one day before an update for v4.10 released on April 4th. Today, we have examined it again and didn't notice any new security improvements. Here we go. Average values below than 2 points, that's not really good. It means we have several data types not protected at all among all data types. Also, it means it's first time we will talk about the worst protected data items.

We found the following data groups - Account & Credentials information, Application & Device Information, Location & Travel Information, Personal & Payment Information. You can find this information on the first pic attached to this post and available via Pinterest. Second pic shows what specific data types assigned to each group were found in this app.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found.

Locally stored data (DAR). All items have the same level of system protection that equals 6 and don't have developer own protection techniques implemented, therefore the average value is 3 points. It means data types stored in plaintext app folder and protected only by sandbox. Application Configuration Data items, detail information about your device, credentials information such as tokens, secret tokens and ID (usually email address), geo data, your personalization info - your search requests you've done while using this app. Note, Application Configs are collected not only by app but by analytics 3rd party library too. Also, each app saves the screen of application window when you're switching to another application that means the screenshot might have a sensitive information. This is good protection, because it means your data can be extracted from backups according to wide available tools. However, as we mentioned above, if you have jailbroken iOS device it decreases level down to 0. Also, keep in mind there're lot of non-public solutions how to get your data. Warning, if your iOS < 8.3 this data can be accessed without jailbreak even. Since 8.3 this vulnerability was fixed, however it wasn't officially vulnerability almost 4 or 5 years. So, it would be better to have data additionally protected in this case, right :) ?

Transferred data (DIT). All items have the very low average value below 2, while the system DIT protection is a bit higher 2 points and own is a bit less than 2. Let us explain our findings. Most of data here transferred as is without any kind of protection or encoded in base64 or compressed by default if http-compressing is on. List of non-protected data includes: application configs, device data (more general than details), orders and reservation history, geo-media data (pics of famous places depend on city you're looking to travel) and sort of data collected by analytics library - device data, travel data (general info about your trip), environment (misc info about your OS) and personalization data (your search requests). Here device data & travel data transferred to 3rd party analytics server encoded in base64, so we add several points for own developer protection. List of encoded (mainly compressed) data includes: geo data, personalization stored on skyscanner servers, travel details, order & reservation details. It doesn't mean your data protected, because (de-)compressing it default feature of http libs. Rest of data has 4 points and requires your device to have installed fake certificate to perform MITM attacks. It includes device details sent to another 3rd party analytics server, credentials (ID, password, tokens, secret tokens) sent to Skyscanner server, account details (your profile), your favourites 'n' tracked data and unfortunately full card information including cvc. Talking about credentials, the best practice is using customer password once and switching to token then, however this app continues using your password after log reconnection. Talking about card, paying via browser or internal browser as a part of mobile app has only 4 points because doesn't prevent MITM if you've a fake certificate installed but also doesn't protect you if you don't have it installed but only informs about untrusted certificate and if you accepts this fake certificate your data would be stolen. No good news - no best protected data, but there're worst protected data type were found. All worst items have points below 2 mentioned above as List of non-protected data and List of encoded (mainly compressed) data.

Once again, keep in mind, that the latest app version and build was examined on the last iOS and if you use older iOS version < 9 you might have found that app doesn't secure enough and data might be accessed without actions from you side (= the average level for transferred data would be equal 2). Also, older iOS versions < 8.3 don't provide enough protection for app data locally stored to allow access app data (except system like keychain) without jailbreak access. And, even good but template-based MITM protection could be patched too.

#appdata #leakage #privacymeteronline #privacymeter #iOS #AppStore #Skyscanner