One more tool we're going to examine today. This application is available for iOS here. This application is designed to bypass limits of fax machines and fax number by implementing and bringing virtualization into new digital age. You can use your mobile device or web-page of eFax send and receive faxes. So, let's quote the description of this application below:

-------------------------------------------

Brought to you by eFax® - the world leader in online faxing. Free fax app puts the power of a fax machine on your iOS device. The eFax iOS mobile app lets you send and receive faxes from your iPhone or iPad with ease. Scan or upload documents, edit as needed, add a cover page and send. You can even sign faxes with the touch of a finger. Receive timely alerts when a new fax is received and email confirmations when your fax has been sent. The eFax® app provides enhanced viewing options and lets you navigate easily between documents, create folders, tag faxes and store them conveniently on your device or in the cloud.

• New user? Get a free fax number to send and receive faxes (available in USA only). Includes limited free pages per month. If you need more pages you may upgrade conveniently within the app. • Send a fax instantly. Upload documents using your email, device or cloud storage (e.g., Google Drive, Box, and Dropbox) or scan documents using your camera interface. Sign your fax electronically, prepare a personalized cover page, enter your contact and tap send. eFax will enhance the images for you and you’ll receive alerts confirming your fax is sent and delivered. • Enhanced viewing options. Tap on a fax to access zoom features. Swipe horizontally to move to next or previous page. Advance quickly to specific pages by entering the page number. • Contact management. Add and manage fax contacts easily with eFax®. • Supports 20+ file types including PDF, DOC, PPT, JPEG, JPG and more. • Storing faxes is simple. Create folders, tag and save faxes to your device or in the cloud. The search function will help you retrieve faxes quickly. • Prepare an electronic signature with the touch of your finger. • Edit documents and add text to your fax. • Print faxes using AirPrint, and forward documents to other recipients by fax or email • If you have multiple fax numbers switch mailboxes easily within the app.

Last build 4.6.0 released on May 6th have some improvements: • Bug fixes for better app performance. • Send and receive faxes, scan or upload documents. The eFax mobile app supports 20+ file types including PDF, DOC, PPT, JPEG, JPG and more. • Enhanced document management. Create folders, tag faxes and store them in the cloud or on your device. • In-app fax viewer displays inbound fax documents. Double tap to zoom in and out. Search function helps you find faxes or advance to other pages quickly. • Create a personalized fax cover page, sign documents electronically with the touch of your finger.

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location'n'Maps Information, AddressBook'n'Contacts Information, Analytics'n'Ads Information. You may notice the average value is 3.0 points (5.5 points of system protection and 0.5 points of own protection). That isn't typical for many applications especially when you're using stock device. This is case when we have issues out-of-box.

The full list of data items were found in this app with protection levels and short description is below:

Items #1 with average value 2 points (4 of system, 0 of own) means data can be extracted when the iOS device paired to PC/Mac because these data marked as extractable by developers: - Credentials (IDs) ('Credentials Information' Group) - mainly your ID is your fax number duplicated many times in different places, - Account Data ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Application Configs ('Application Information' Group) - different application configuration options saved locally, - Local'n'Network Paths ('Device Information' Group) - basic information about local & network paths where data stored; for this application this includes folder names (inbox, sent, ...), - Documents Details ('Device Information' Group) - every fax you sent or receive includes details when it was sent, how many pages per a fax message, - Messages ('Message Information' Group) - message body of the fax message, - Media Data ('Message Information' Group) - media part of the fax message ('scanned' images), - Contact Short Profile ('AddressBook'n'Contacts Information' Group) - short information about senders and receivers,

Items #2 with average value 3.5 points (7 of system, 0 of own) means data can be extracted via backups only or other public known techniques but a jailbreak without data wipe isn't possible to get access data this way: - Credentials (Tokens) ('Credentials Information' Group) - some credentials were found linked with account, - Device Data ('Device Information' Group) - basic information about your device, - Address Data ('Location'n'Maps Information' Group) - your location information limited to city, country and timezone & locale information, - Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not , - Credentials (Tokens) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server, - Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server, - Screenshots ('Media Information' Group) - screenshot of application windows when you switch application (basic feature of iOS unless it turned off),

Items #3 with average value 7.5 points (7 of system, 8 of own) means same like category #2, however own protection level is 8 points and it means that data type wan't found in backup but was found on device either keychain or application folder: - Credentials (Passwords) ('Credentials Information' Group) - your password (4 digit pin)

The last item is assigned as a best protected item. It's very important to know that storing data this way reduces a possibility of data leakage.

So, data #2 has a typical protection level, data #3 is unusual but good way to protect data, however data #1 isn't worst the problem

Also, keep in mind, using jailbroken device means your system protection level is 0 points and you're using out-of-dated iOS < 8.3 your system protection level is 2 points.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location'n'Maps Information, AddressBook'n'Contacts Information, Analytics'n'Ads Information. The average value is 4 points (4 points of system protection and 4 points of own protection).

All data are the same, except one data type - URLs ('Message & Media Information' Group). Even if MITM-attack happened and intruder can't get media data, he can steal URLs in requests to download all files semi-automatic. Intruder can't get the media data because of server-side SSL validation. This validation works silently and doesn't help the customer know if his device MITMed or not.

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - mainly your ID is your fax number duplicated many times in different places, - Credentials (Passwords) ('Credentials Information' Group) - your password (4 digit pin) - Credentials (Tokens) ('Credentials Information' Group) - some credentials were found linked with account, - Account Data ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Application Configs ('Application Information' Group) - different application configuration options saved locally, - Local'n'Network Paths ('Device Information' Group) - basic information about local & network paths where data stored; for this application this includes folder names (inbox, sent, ...), - Documents Details ('Device Information' Group) - every fax you sent or receive includes details when it was sent, how many pages per a fax message, - Messages ('Message Information' Group) - message body of the fax message, - Media Data ('Message Information' Group) - media part of the fax message ('scanned' images), - URLs ('Message & Media Information' Group) - URLs allow to download media part of the fax message ('scanned' images), - Contact Short Profile ('AddressBook'n'Contacts Information' Group) - short information about senders and receivers, - Device Data ('Device Information' Group) - basic information about your device, - Address Data ('Location'n'Maps Information' Group) - your location information limited to city, country and timezone & locale information, - Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not , - Credentials (Tokens) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server, - Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server, - Screenshots ('Media Information' Group) - screenshot of application windows when you switch application (basic feature of iOS unless it turned off),

Keep in mind if you're using out-of-dated iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Full application privacy policy is available here.

Besides common clauses referring to compliance and law there are two referring to the security and third party privacy. 2.g. describes exchanging data due to third party solutions implementation. Talking about analytics libraries, it doesn't reveal much user information comparing to other apps we examined earlier. Talking about security and SSL shows the developers only implemented it once and never reviewed it. Comparing to other applications, many of them find a way to provide better security level than this application even if we talk about Data-in-Transit category and out-of-dated iOS < 9.0. This application has only become more secure if you update your iOS, while another applications had this protection level or even better on out-of-dated iOS.

2. Use of Personally Identifiable Information g. Third-Party Intermediaries; Supplementation of Information In order for the Company to properly fulfill its obligations to improve our Services and direct information to users about services that may be of interest to users, we may use third parties and may share users' information with these third parties. For example, the Company verifies the billing address on all credit card transactions and may obtain credit reports for some corporate users. We use an outside credit card processing company to bill users for Services. In addition, we may use third parties to host certain portions of our Site, to fulfill certain requests for information from our users and to comply with legal requirements. In order to personalize a user's experience and provide relevant offers from us or our third-party advertisers, we may share users' information with third parties to learn more about users and their preferences. These companies are not to store or use personally identifiable information for any secondary purposes, and the information obtained from these third-party sources is maintained in a manner consistent with this Privacy Policy.

4. Security The Company takes every reasonable precaution to protect its users' information. When our registration/order forms ask users to enter their personally identifiable information, that information is protected with encryption software called SSL (secure sockets layer). Any activities performed after you log into your account are also encrypted with SSL.

While we use SSL encryption to protect personally identifiable information online, we also employ security measures to protect user information off-line. All of our users' information, not just the personally identifiable information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerks or a Customer Service representative) are granted access to personally identifiable information. Finally, the Company servers that store personally identifiable information are in a secure environment.

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #eFax #AppStore #iOS