One more tool we're going to examine today. This application is available for Android here. This application is designed to bypass limits of fax machines and fax number by implementing and bringing virtualization into new digital age. You can use your mobile device or web-page of eFax send and receive faxes. So, let's quote the description of this application below:

-------------------------------------------

Award-winning eFax® app lets you send, receive, scan and sign faxes from your Android phone or tablet Start faxing in minutes with eFax - the World Leader in Online Faxing. The eFax app makes it easier than ever to fax from anywhere, anytime. Look at all the great things you can do:

• New user? Get a free fax number to send and receive faxes (available in USA only). Includes limited free pages per month. If you need more pages you may upgrade conveniently within the app. • Send a fax instantly. Upload documents using your email, device or cloud storage (e.g., Google Drive, Box, and Dropbox) or scan documents using your camera interface. Sign your fax electronically, prepare a personalized cover page, enter your contact and tap send. eFax will enhance the images for you and you’ll receive alerts confirming your fax is sent and delivered. • Enhanced viewing options. Tap on a fax to access zoom features. Swipe horizontally to move to next or previous page. Advance quickly to specific pages by entering the page number. • Contact management. Add and manage fax contacts easily with eFax®. • Supports 20+ file types including PDF, DOC, PPT, JPEG, JPG and more. • Storing faxes is simple. Create folders, tag and save faxes to your device or in the cloud. The search function will help you retrieve faxes quickly. • Prepare an electronic signature with the touch of your finger. • Edit documents and add text to your fax. • Print faxes using AirPrint, and forward documents to other recipients by fax or email • If you have multiple fax numbers switch mailboxes easily within the app.

Last build 4.8.0 released on Aptril 5th have some improvements: • Bug fixes for better app performance. • Send and receive faxes, scan or upload documents. The eFax mobile app supports 20+ file types including PDF, DOC, PPT, JPEG, JPG and more. • Enhanced document management. Create folders, tag faxes and store them in the cloud or on your device. • In-app fax viewer displays inbound fax documents. Double tap to zoom in and out. Search function helps you find faxes or advance to other pages quickly. • Create a personalized fax cover page, sign documents electronically with the touch of your finger.

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location'n'Maps Information, AddressBook'n'Contacts Information, Analytics'n'Ads Information. The average value is 3.5 points (7 points of system protection and 0 points of own protection). Unlike the previous application has different way to protect your data but here there is only way typical way to do it (sandbox).

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - mainly your ID is your fax number duplicated many times in different places, - Account Data ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Application Configs ('Application Information' Group) - different application configuration options saved locally, - Local'n'Network Paths ('Device Information' Group) - basic information about local & network paths where data stored; for this application this includes folder names (inbox, sent, ...), - Documents Details ('Device Information' Group) - every fax you sent or receive includes details when it was sent, how many pages per a fax message, - Messages ('Message Information' Group) - message body of the fax message, - Media Data ('Message Information' Group) - media part of the fax message ('scanned' images), - Contact Short Profile ('AddressBook'n'Contacts Information' Group) - short information about senders and receivers, - Credentials (Tokens) ('Credentials Information' Group) - some credentials were found linked with account, - Device Data ('Device Information' Group) - basic information about your device, - Address Data ('Location'n'Maps Information' Group) - your location information limited to city, country and timezone & locale information, - Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not , - Credentials (Tokens) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server, - Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server, - Credentials (Passwords) ('Credentials Information' Group) - your password (4 digit pin) - Log Data ('Log Data' Group) - all activities of sending & receiving faxes are logged and stored locally No best protected item. Unlike iOS application all data items here stored in the same way

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location'n'Maps Information, AddressBook'n'Contacts Information, Analytics'n'Ads Information. The average value is 4 points (4 points of system protection and 4 points of own protection).

All data are the same, except one data type - URLs ('Message & Media Information' Group). Even if MITM-attack happened and intruder can't get media data, he can steal URLs in requests to download all files semi-automatic. Intruder can't get the media data because of server-side SSL validation. This validation works silently and doesn't help the customer know if his device MITMed or not.

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - mainly your ID is your fax number duplicated many times in different places, - Credentials (Passwords) ('Credentials Information' Group) - your password (4 digit pin) - Credentials (Tokens) ('Credentials Information' Group) - some credentials were found linked with account, - Account Data ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Application Configs ('Application Information' Group) - different application configuration options saved locally, - Local'n'Network Paths ('Device Information' Group) - basic information about local & network paths where data stored; for this application this includes folder names (inbox, sent, ...), - Documents Details ('Device Information' Group) - every fax you sent or receive includes details when it was sent, how many pages per a fax message, - Messages ('Message Information' Group) - message body of the fax message, - Media Data ('Message Information' Group) - media part of the fax message ('scanned' images), - URLs ('Message & Media Information' Group) - URLs allow to download media part of the fax message ('scanned' images), - Contact Short Profile ('AddressBook'n'Contacts Information' Group) - short information about senders and receivers, - Device Data ('Device Information' Group) - basic information about your device, - Address Data ('Location'n'Maps Information' Group) - your location information limited to city, country and timezone & locale information, - Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not , - Credentials (Tokens) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server, - Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server,

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.​

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Full application privacy policy is available here.

Besides common clauses referring to compliance and law there are two referring to the security and third party privacy. 2.g. describes exchanging data due to third party solutions implementation. Talking about analytics libraries, it doesn't reveal much user information comparing to other apps we examined earlier. Talking about security and SSL shows the developers only implemented it once and never reviewed it. Comparing to other applications, many of them find a way to provide better security level than this application even if we talk about Data-in-Transit category and out-of-dated iOS < 9.0. This application has only become more secure if you update your iOS, while another applications had this protection level or even better on out-of-dated iOS.

2. Use of Personally Identifiable Information g. Third-Party Intermediaries; Supplementation of Information In order for the Company to properly fulfill its obligations to improve our Services and direct information to users about services that may be of interest to users, we may use third parties and may share users' information with these third parties. For example, the Company verifies the billing address on all credit card transactions and may obtain credit reports for some corporate users. We use an outside credit card processing company to bill users for Services. In addition, we may use third parties to host certain portions of our Site, to fulfill certain requests for information from our users and to comply with legal requirements. In order to personalize a user's experience and provide relevant offers from us or our third-party advertisers, we may share users' information with third parties to learn more about users and their preferences. These companies are not to store or use personally identifiable information for any secondary purposes, and the information obtained from these third-party sources is maintained in a manner consistent with this Privacy Policy.

4. Security The Company takes every reasonable precaution to protect its users' information. When our registration/order forms ask users to enter their personally identifiable information, that information is protected with encryption software called SSL (secure sockets layer). Any activities performed after you log into your account are also encrypted with SSL.

While we use SSL encryption to protect personally identifiable information online, we also employ security measures to protect user information off-line. All of our users' information, not just the personally identifiable information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerks or a Customer Service representative) are granted access to personally identifiable information. Finally, the Company servers that store personally identifiable information are in a secure environment.

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #eFax #Android #GooglePlay