Plazius is popular application in Russia according to public available sources. It's previously known as Platius; the main clients of the Plazius platform were restaurants, cafes and other catering enterprises. Now every shop, from grocery stores to branches of major chains can connect to Plazius and use the capabilities provided by the platform to develop business and increase revenue (according to SberBank press release). Unfortunately, the application page is available in Russian only, so we translate a short description via Google Translate

Plazius - mobile payments and gifts.

- Earn money with every purchase - It is easy to spend bonus rubles - Pay your order by credit card - Do not wait for the waiter - Follow the instructions - Provide feedback - Buy profitable stocks - The app uses user geolocation to show offers

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Analytics'n'Ads Information, Credentials Information, Media Information. The average value is 3.8 points (7 points of system protection and 0.6 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not collected by third party library,

- Credentials (Token) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server,

- Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server,

- Credentials (Token) ('Credentials Information' Group) - your token linked to the device after you confirm activation code received by SMS,

- Device Details ('Log Information' Group) - more details about your device but logged and stored locally

The most popular data type Credentials (IDs) from 'Credentials Information' Group wasn't found in this application, because the application generate token after binding phone number and confirmation ID and don't store IDs locally.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Account Information, Message Information, Loyalty Information. The average value is 3 points (4 points of system protection and 2 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - your ID is your phone number,

- Credentials (Activation IDs) ('Credentials Information' Group) - digit pin you received by SMS,

- Credentials (Token) ('Credentials Information' Group) - your token linked to the device after you confirm activation code received by SMS,

- Credentials (IDs) ('Loaylty Information' Group) - (same value as previous IDs) your ID is your phone number,

- Credentials (Token) ('Loaylty Information' Group) - (same value as previous token) your token linked to the device after you confirm activation code received by SMS,

- GEO Data ('Loyalty Information' Group) - your geo location to suggest offers near you,

- GEO Data ('Location'n'Maps Information' Group) - (same value as previous) your geo location to suggest offers near you,

- Place Details ('Loyalty Information' Group) - place details linked to offers suggested to you,

- Account Details (Token) ('Account Information' Group) - more details about you incl. your birthday,

- Card Short Number ('Payment'n'Transaction Information' Group) - since your payment card bound you will see a picture of a card with card's 4 last digits,

- Card Full Information ('Payment'n'Transaction Information' Group) - full information about your card while you're registering a payment card,

- Buyer's Check ('Loyalty Information' Group) - information about your bills even if you didn't directly pay this bill but type or scan a loyalty code,

- Place Details ('Loyalty Information' Group) - besides place details regarding your offers, you also can find place details information regarding to your bills,

- GEO data ('Loyalty Information' Group) - and not only place details but geo location values as well,

- Orders & Reservation History ('Loyalty Information' Group) - information about your bills from historical viewpoint

Analytics'n'Ads Information wasn't tracked in traffic but was found stored locally, perhaps next time when you logged in the saved data would be sent.

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.​

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Basic privacy policy is available here. After switching to GB the page redirected us here and loaded Russian privacy policy. Any language mentioned as available (GB, German, ...) is always in Russian only. We're pretty excited of such way to help customers :) Anyway, let's translate it by Google again.

This document describes definitions such as 'bonus', 'mobile payment', customers requirements and limits and etc. Three clauses referred to security and privacy made us more excited even before.

6.4 The administration does not guarantee the confidentiality of information and data about the Participant and is not responsible for the disclosure of such information is liable, since the transfer of the data is carried out through open channels of communication.

Ok, Plazius team bought by National bank doesn't guarantee anything related to security and privacy and not going tobe responsible for anything.

6.5 Administration under no circumstances be liable to the Participant and the Company of material (financial) responsibility for the damage, forced business interruption, loss of business, or other data or information, claims or costs, any damages and lost profits or lost savings, caused by use of or relating to the use Plazius systems, as well as for damages caused by possible errors or misprints in the software, as well as for any claims by third parties.

Plazius team will have never pay reimburse your loss; simple, doesn't give a shit

6.6 The Participant is obliged to observe safety measures when using Plazius systems or transfer login and password to log in Plazius.

Customers is obliged to protect Credentials. Awesome, developers can't protect it from taping, not going to be responsible for anything and make customers protection their credentials.

Well done, developers. Best privacy policy we've ever seen. Worst security and relation to the customers. Nothing to do here ;) Our personal opinion is to stay away from such applications unless it's fixed in terms of security and privacy policy

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #Plazius #Android #GooglePlay