We bet everyone have heard about Google Maps! This app makes navigating your world faster and easier for sure. We usually expect the native / vendor applications have the better security level than others. Today we want to check our theory. What this application gives their customers (quote below):

Get there faster with real-time updates • Beat traffic with real-time ETAs and traffic conditions • Catch your bus, train, or ride-share with real-time transit info • Save time with automatic re-routing based on live traffic, incidents, and road closures • Don't miss a turn or exit with lane guidance • Find pit stops along your route like gas stations and coffee spots

Discover places and explore like a local • Find top-rated restaurants and local businesses, wherever you are • Decide on the best places to go with reviews, ratings, and pictures of foods and interiors • Plan your visit and see menus, make reservations, and find when places are typically busiest • Help others discover the best places by sharing reviews, photos and more • Save places you want to or often visit, and quickly find them later from any computer or device

Experience the Google Maps difference • Offline maps to search and navigate without an internet connection • Street View and indoor imagery for restaurants, shops, museums and more • Indoor maps to quickly find your way inside big places like airports, malls and stadiums • Comprehensive, accurate maps in 220 countries and territories • Transit schedules and maps for over 15,000 cities • Detailed business information on over 100 million places

The last build 4.18.0 was released on Apr 26, 2016 and available here for iOS. What's new here (quote): • Use the Travel Times Today Extension to quickly check traffic on the way to home and/or work (require home/work to be saved) • Easily share directions with your contacts

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Application Information, Location'n'Maps Information, AddressBook'n'Contacts Information, Media Information. The average value is 3.84 points (7 points of system protection and 2.67 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Application Configs ('Application Information' Group) - list of configuration values incl. your settings - GEO Data ('Location'n'Maps Information' Group) - obviously, this data type is key one among applications like that (your geo location) - Address Data ('Account Information' Group) - like previous, there's no point to know geo location values for humans (address is better) - Screenshots ('Media Information' Group) - screenshot of application windows when you switch application (basic feature of iOS unless it turned off)

Credentials or tokens weren't found in backup. Moreover, the password for Google applications can be found once, after that all applications work with a token. So, we give here 7.5 points per each credentials items (IDs, Tokens) as the best protected items - Credentials (IDs) ('Credentials Information' Group) - your ID is your email

- Credentials (Tokens) ('Credentials Information' Group) - token using instead of password

Also, keep in mind, using jailbroken device means your system protection level is 0 points and you're using out-of-dated iOS < 8.3 your system protection level is 2 points.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Account Information, Message Information. The average value is 4 points (4 points of system protection and 4 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - your ID is your email - Credentials (Tokens) ('Credentials Information' Group) - token using instead of password - Account Data ('Account Information' Group) - some data about the customer (his profile) - URLs ('Account Information' Group) - also URLs to account profile were found here - GEO Data ('Location'n'Maps Information' Group) - geo location values - GEO Data ('Media Information' Group) - additionally, geo location bound to the pictures of that place - Location History ('Location'n'Maps Information' Group) - your location history (address data + geo location on a tap per item) - Credentials (Passwords) ('Credentials Information' Group) - as we wrote earlier, the password is taped once - Tracked Data'n'Favourites ('Device Information' Group) - as gmaps has a feature to share data between devices, you may find favourites data type related to your device with settings and device information - Application Configs ('Device Information' Group) - settings per shareable device - Device Data ('Device Information' Group) - device information about shareable device - Tracked Data'n'Favourites ('Location'n'Maps Information' Group) - your favourite places - Address Data ('Location'n'Maps Information' Group) - address data per location - Media Data ('Account Information' Group) - avatar of a customer profile - Personalization ('Location'n'Maps Information' Group) - your search requests that converted into history

Keep in mind if you're using out-of-dated iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Solid document published on Mar 15, 2016 is available here . This policy is too general and cover Google Services but the best we've seen; we mean no clauses how we care and protect data, there're facts only on what collected and why, even in section 'security' (below). So, you may notice, Google doesn't talk they 100% protect you, they simply talk they use SSL to encrypt data. Compare it with our findings: [transit - DIT] system protection plus own with certificate validation (4-4 points), [local - DAR] - only system protection and no much data stored locally but credentials were found in backup and that's really good. All data items we found are obviously pretend to be key items if you understand what actions such application performs. This policy and understanding of application features is kind of 'WYSIWYG is an acronym for "what you see is what you get"'.

Information security - We work hard to protect Google and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular: - We encrypt many of our services using SSL. - We offer you two step verification when you access your Google Account, and a Safe Browsing feature in Google Chrome. - We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems. - We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

What we expected to know - are native / vendor applications always secure than other? We we got - not every native / vendor application. It's a bit sad fact but here we go :)

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #AppStore #iOS #GoogleMaps