Today we're going to examine Media application Cinemagia. The lastest build 5.0.3 released for Android on April 22, 2016 and is available here. According to description it must be two languages Romanian and English, however we found only Romanian UI and application page. Because of Google Translate has become our friend, we will use it again.

Translated quote from application page: Discover program in Romania cinemas and television program. Buy tickets direct to your mobile cinema. Read the latest news from the world of film. View trailers and movies that are coming to the cinema. Find out all about your favorite movies and actors. App sections/features: - Program cinema - TV, Movies on TV, now on TV - favorite TV channels - Leisure - Events in Bucharest - Buy tickets cinema, performances - Set alerts TV program - News - Full details about movies - Trailers HD and SD - Photo gallery movies and actors - Movies in the cinema soon - Boxoffice Romania

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Credentials Information, Media Information. The average value is 3.5 points (7 points of system protection and 0 points of own protection). This is typical scenario for many applications.

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - your ID related to your email but not email address. Frankly talking, it's username based on your social username or perhaps email ID, - Credentials (Tokens) ('Credentials Information' Group) - token using instead of password,

There's an assumption. We weren't able to use a pair login+password, instead, we signed up via Facebook and bind our email + password

Also, keep in mind, using jailbroken device means your system protection level is 0 points and you're using out-of-dated iOS < 8.3 your system protection level is 2 points.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Social Information, Location'n'Maps, Booking'n'Purchases Information, Device Information, Account Information, Payment'n'Transaction Information. The average value is different from typical average values and equals 1.9 points (3.0 points of system protection and 0.8 points of own protection). You may notice it's a bit unusual and if you're already familiar with our results you probably guess that means some data items aren't properly protected.

The full list of data items were found in this app with protection levels and short description is below:

Items #0 with average value 1 points (0 points of system protection and 0 points of own protection) means data can be taped without user interaction and honestly not protected at all. Here is only one data time found:

- Orders & Reservation Details ('Payment'n'Transaction Information' Group) - details of your purchases, movie, seat, place and etc. (after you paid)

- Orders & Reservation History ('Booking'n'Purchases Information' Group) - history of you orders - Device Data ('Device Information' Group) - basic information about your device

Items #1 with average value 1 points (1 points of system protection and 0 points of own protection) means data can be taped without user interaction and honestly not protected at all. These data items either simply encoded into known format like base64 or compressed if this option is turned on the developer's server. Here is only one data time found:

- Sessions Details ('Credentials Information' Group) - Some details related to sessions while the customer is authorizing into Cinemagia application

Items #2 with average value 2 points (4 points of system protection and 0 points of own protection) means data can be taped without user interaction and honestly not protected at all. These data items were found as browser (or WebView) data and can be taped. No additional protection from developer side here, because almost all browsers or browser-based component only inform you non-trusted certificates. So, the data list includes

- Credentials (IDs) ('Social Information' Group) - your ID related to your email but not email address. Frankly talking, it's username based on your social username or perhaps email ID, - Credentials (Tokens) ('Social Information' Group) - token using instead of password, - Contact Short Profile ('Social Information' Group) - a few pieces of customer profile grabbed from social network - Credentials (Passwords) ('Social Information' Group) - password related to your social account was taped as well. After that, the password is no longer used and 'replaces' a token given by Facebook server.

- Card Full Information ('Payment'n'Transaction Information' Group) - all details about your payment card

- Sessions Details ('Payment'n'Transaction Information' Group) - some details about transaction sessions

- Buyer Data ('Booking'n'Purchases Information' Group) - some information about buyer (your email, phone number, name at least)

- Orders & Reservation Details ('Booking'n'Purchases Information' Group) - details of your purchases, movie, seat, place and etc. (before you pay)

Unlike iOS application, we didn't find here the following items - Media Data ('Social Information' Group) - avatar is also grabbed from social network profile

Items #3 with average value 4 points (4 points of system protection and 4 points of own protection) means data can be taped with or without user interaction and refers specific cases like fake certificate, not-trusted, stolen and etc. So, here is list of data items:

- Credentials (IDs) ('Credentials Information' Group) - your login ID (username) - Account Data ('Account Information' Group) - your in-app profile data - Credentials (Passwords) ('Credentials Information' Group) - your password

Unlike iOS application, we didn't find here the following items - GEO Data ('Location'n'Maps Information' Group) - Your location data used to be suggested places where to go (our thoughts)

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

We bet you expect to know what were the worst protected items here. Here is a list

System Protection - 1 point, Own Protection - 0 points - Sessions Details 'Credentials Information' Group

System Protection - 0 points, Own Protection - 0 points - Orders & Reservation Details ('Booking'n'Purchases Information' Group) - Device Data ('Device Information' Group) - Orders & Reservation History ('Booking'n'Purchases Information' Group) First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Permanent link provides not much information about security and privacy, it refers to laws and draw attention that Cinemagia team doesn't guarantee or responsible for anything.

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #CinemagiaMobile #Android #GooglePlay