RocketBank is popular application in Russia accroding to public available sources, e.g. Techcrunch. It's known since 2012 and has since accrued “a few thousand” users. Its Android app includes the ability to pay a person without having to know their bank details — instead, users can pick who they want to pay from their phone address book or enter an email address or e-wallet number. RocketBank is not a bank itself, rather it’s a mobile app with banking abilities — much like an MVNO is not a mobile network operator but can still offer cellular services by piggybacking on carriers’ networks

Unfortunately, the application page is available in Russian only, so we translate a short description via Google Translate:

Roketbank is a bank in your mobile device.

Roketbank map is suitable for shopping and money management: - 8% per annum on the balance - 1% for purchases cashback - Up to 10% cashback in the "favorite places" - Free and instant replenishment cards with other banks - Transfers to other banks' cards - 5 free cash withdrawals at any ATM of the world

Roketbank service is something we are loved for: - Attentive support team is right in the app, you will not need to call - Lock and unlock the card, order inquiries directly from the application in a couple of touches - Tags and analytics to manage a costs

Protection levels. Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Analytics'n'Ads Information, Credentials Information, Account Information, Media Information, AddressBook'n'Contacts Information, Message Information, Payment 'n' Transaction Information, . The average value is 3.5 points (7 points of system protection and 0 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Device Details ('Analytics'n'Ads Information' Group) - more details about your device e.g. is it jailbroken or not collected by third party library, - Credentials (Token) ('Analytics'n'Ads Information' Group) - tokens of analytics library to connect to server, - Credentials (IDs) ('Analytics'n'Ads Information' Group) - ID of analytics library to connect to server, - Credentials (IDs) ('Credentials Information' Group) - your ID is your phone number, - Credentials (Token) ('Credentials Information' Group) - your token linked to the device after you confirm activation code received by SMS, - Account Data (Token) ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Contact Short Profile ('AddressBook 'n' Contacts Information' Group) - profile of contact related to messages are available on support tab; it's conversation with support team, - URLs ('AddressBook 'n' Contacts Information' Group) - contact profile avatar link (from AddressBook) for those contacts who're using RocketBank too, - Tracked 'n' Favourites ('AddressBook 'n' Contacts Information' Group) - list of your contacts from AddressBook who're using RocketBank too,

Comparing to iOS these data items weren't found in Android app folders

- Contact Short Profile ('Message Information' Group) - profile of contact related to messages are available on support tab; it's conversation with support team, - URLs ('Message Information' Group) - profile avatar link of support team contact (like previous one), - Messages ('Message Information' Group) - conversation with support team,

- Card Short Number ('Payment 'n' Transaction Information' Group) - shortened number of your cards you linked to Rocket Account plus RocketCard, - Transaction History ('Payment 'n' Transaction Information' Group) - information about your transactions like top-up Rocketcard via another bank card, - GEO ('Payment 'n' Transaction Information' Group) - transactions linked to your current geo location, - Buyer's Check ('Payment 'n' Transaction Information' Group) - transaction's bill with shortened information about cards (instead of account as it happens usually),

Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Account Information, Message Information. The average value is 4 points (4 points of system protection and 4 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

- Credentials (IDs) ('Credentials Information' Group) - your ID is your phone number, - Credentials (Token) ('Credentials Information' Group) - your token linked to the device after you confirm activation code received by SMS, - Credentials (Activation IDs) ('Credentials Information' Group) - digit pin you received by SMS, - Account Data (Token) ('Account Information' Group) - account data related to customer (usually 'profile tab'), - Messages ('Message Information' Group) - your messages are available on support tab; it's conversation with support team, - Contact Short Profile ('Message Information' Group) - profile of contact related to messages are available on support tab; it's conversation with support team, - Contact Short Profile ('AddressBook 'n' Contacts Information' Group) - profile of contact related to messages are available on support tab; it's conversation with support team, - URLs ('AddressBook 'n' Contacts Information' Group) - contact profile avatar link (from AddressBook) for those contacts who're using RocketBank too, - Media Data ('AddressBook 'n' Contacts Information' Group) - list of your contacts' avatars from AddressBook who're using RocketBank too; avatars uploaded via RocketDB not your AddressBook DB. - Tracked 'n' Favourites ('AddressBook 'n' Contacts Information' Group) - list of your contacts from AddressBook who're using RocketBank too, - URLs ('Message Information' Group) - profile avatar link of support team contact (like previous one) - Card Full Information ('Payment 'n' Transaction Information' Group) - full information about your card used to top-up Rocket card as well as Rocketcard when you activate it, - Card Short Information ('Payment 'n' Transaction Information' Group) - some information about your cards (not include cvc/cvv) of your cards you related to Rocket Account , - Card Short Number ('Payment 'n' Transaction Information' Group) - shortened number of your cards you linked to Rocket Account plus RocketCard, - Transaction History ('Payment 'n' Transaction Information' Group) - information about your transactions like top-up Rocketcard via another bank card, - GEO ('Payment 'n' Transaction Information' Group) - transactions linked to your current geo location, - Buyer's Check ('Payment 'n' Transaction Information' Group) - transaction's bill with shortened information about cards (instead of account as it happens usually), - Stream ('Loyalty Information' Group) - list of offers from Rocket partners, - Account Data ('Financial Information' Group) - your financial account info such as wallet, money amount, etc. - Credentials (Passwods) ('Credentials Information' Group) - your password from RocketBank, also it's your Rocket card PIN code. If your device supports Touch ID, you will automatically be switched to this feature,

Analytics'n'Ads Information wasn't tracked in traffic but was found stored locally, perhaps next time when you logged in the saved data would be sent.

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.​

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

According to the GooglePlay application page, the privacy policy is available here, however we found it only here and only in Russian, so we rely on Google-Translated result.

Many clauses describes card security. Below we will cite section 'How do we work with your data' and sub-section 'Processes' skipping web-site description.

All our cards are issued in compliance with PCI DSS (Payment Card Industry Data Security Standart). MasterCard World Card secured MasterCard SecureCode technology for secure online shopping using generated 3d secure code (the same that we ask you to enter it each time to confirm that you really want to make a purchase).

We wish not only cards but mobile applications were developed in compliance with PCI DSS too

All the operations that you carry out in the annex, signed not only by your password, and a unique token, which we assign to your smartphone.

We didn't find any cases of using customer password. Everything is bound to the token

Therefore, even if someone learns your password, he would never be able to see even your tape operations with another smartphone.

If it would be so, we didn't find token and bypass protection. It may require activities on a user side but still not much complex to tape.

#appdata #leakage #privacymeter #privacymeteronline #privacypolicy #RocketBank #Android #GooglePlay