Recently this app was updated, however out findings are still up-to-date

One more application we're going to examine today. This application is available for Android here. Social app to connect with people, discover pics, clips, short posts and top trends, share location or thoughts, and exchange messages with friends. The latest build was released on June 10, 2016. Let's cite the description of this application below:

------------------------------------------- Find the best of Twitter in an instant with Moments. Follow top stories through immersive pics, clips, and conversations. Get insights and perspectives you won"t find anywhere else. Twitter is a free app that lets you connect with people, express yourself, and discover more about all the things you love. • Get breaking news. Stay informed with the local and global news that matters to you most, as it happens. • Go behind the scenes at exclusive events like the Oscars, the Emmys, the MTV VMA"s and the World Cup. • Express yourself with text, photos, emoji, emoticons, video, GIFs and Vines. • Use hashtags (like #NFL) to find more Tweets about topics you love. • Get closer to people who interest you, including celebrities like Kim Kardashian, Harry Styles and Rihanna. • Share Tweets with apps like Facebook, Whatsapp, Kik, LINE, email and SMS. • Tweet links from sites like YouTube, Pinterest, Instagram, Spotify and Pandora. • Send a private message without limits: now you"re no longer limited to 140 characters when writing a Direct Message. • Now it"s even easier to share a Tweet privately in a Direct Message. Simply press and hold the Tweet you want to share, then pick the people you want to send it to. Click here to see why Twitter is requesting permission to access features on your device: https://support.twitter.com/groups/54-mobile-apps/topics/223-android/articles/20171517-why-is-the-twitter-app-requesting-permission-to-access-features-on-my-android-device

-------------------------------------------

Protection levels.

Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Analytics 'n' Ads Information, Application Information, Device Information, Credentials Information, Media Information, Account Information, Log Information, Address Book 'n' Contact Information, Social Information, Message Information, Personal 'n' Private Information, Payment 'n' Transaction Information, Booking 'n' Purchases Information. The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where's 7 points of system protection and 0 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn't be accessed where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - stored as is. - Log Data ('Analytics 'n' Ads Information' Group) - Logged any data as a solid file or multiparts. This data item related to mentioned group meant to be any kind of info related to analytics services like flurry, google analytics, etc. or advertisements, - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Device Data ('Device Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be details about your device, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Tokens) ('Analytics 'n' Ads Information' Group) - Different tokens used to get an access to your account except passwords but incl. app or 3rd party tokens, secret keys and etc. (usually give a full access to your account). This data item related to mentioned group meant to be any kind of info related to analytics services like flurry, google analytics, etc. or advertisements, - Media Stream ('Media Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Media Stream ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Log Data ('Log Information' Group) - Logged any data as a solid file or multiparts. This data item related to mentioned group meant to be any information stored in local or network logs, - Stream ('Account Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Stream ('Address Book 'n' Contact Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media Data ('Address Book 'n' Contact Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - URLs ('Social Information' Group) - Different type of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Stream ('Social Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Preview ('Social Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Contact Profile ('Address Book 'n' Contact Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Contact GEO ('Address Book 'n' Contact Information' Group) - Linked info about owner and friends geo data stored as plain text or image location snapshots. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Address Data ('Address Book 'n' Contact Information' Group) - Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media URLs ('Address Book 'n' Contact Information' Group) - URLs related to media info such as stream media or profile's media, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Device Details ('Analytics 'n' Ads Information' Group) - Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be any kind of info related to analytics services like flurry, google analytics, etc. or advertisements, - Messages ('Message Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Personalization ('Personal 'n' Private Information' Group) - Info describes user preferences, favourites, tracked data, search requests, suggestions, etc.. This data item related to mentioned group meant to be any kind of personal and private info not grabbed from the 3rd party social networks or your ids, - Card Short Information ('Payment 'n' Transaction Information' Group) - Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records, - Orders & Reservation History ('Booking 'n' Purchases Information' Group) - Some info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be not assigned yet

Keep in mind if you're using some Android devices such Samsung or LG that allow to root your device without user action, the system level equals 0 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Address Book 'n' Contact Information, Social Information, Media Information, Account Information, Credentials Information, Application Information, Payment 'n' Transaction Information, Booking 'n' Purchases Information, Message Information, Personal 'n' Private Information. The average DIT value is 5.50 points (4.00 points of system protection and 7.00 points of own protection). It is higher than a typical value (4 points, where's 4 points of system protection and 4 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items with average value 5.50 points (4 points of system protection, 7 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection case - informs if fake certificate imported into a device, and own protection case - tricks to bypass sniffing (hardly to be (or can't be) patched to bypass), incl. non-common or unsupported protocols.

- Media Data ('Address Book 'n' Contact Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media Data ('Social Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Preview ('Media Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Account Details ('Account Information' Group) - Full info about your account incl. account membership, expiration, profile, linked data and account, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Stream ('Account Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Stream ('Social Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Contact Profile ('Address Book 'n' Contact Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Passwords) ('Credentials Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Activation IDs) ('Credentials Information' Group) - Two-factor activation code received in messages. This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Card Full Information ('Payment 'n' Transaction Information' Group) - All details about card includes short info, holder address, bank info and CVC, CVV, CVV2. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records, - Address Data ('Payment 'n' Transaction Information' Group) - Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records, - Orders & Reservation History ('Booking 'n' Purchases Information' Group) - Some info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be not assigned yet, - Messages ('Message Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Personalization ('Personal 'n' Private Information' Group) - Info describes user preferences, favourites, tracked data, search requests, suggestions, etc.. This data item related to mentioned group meant to be any kind of personal and private info not grabbed from the 3rd party social networks or your ids, - Orders & Reservation Details ('Booking 'n' Purchases Information' Group) - Some info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be not assigned yet, - Media Data ('Message Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - GEO Data ('Social Information' Group) - Any kind of geo info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be info grabbed from 3rd party social networks

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Below you find two infographics summarizing what we described above.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Full application privacy policy is available here.

If you live in the United States, your information is controlled by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. If you live outside the United States, the data controller responsible for your information is Twitter International Company, an Irish company with its registered office at The Academy, 42 Pearse Street, Dublin 2, Ireland. Despite this, you alone control and are responsible for the posting of your Tweets and other content you submit through the Services, as provided in the Terms of Service and Twitter Rules.

Irrespective of which country you live in, you authorize us to use your information in, and as a result to transfer it to and store it in, the United States, Ireland, and any other country where we operate. Privacy and data protection laws in some of these countries may vary from the laws in the country where you live.

Generally, developers describe privacy policy from country and law viewpoint

Basic Account Information: When you create or reconfigure an account, you provide some personal information, such as your name, username, password, email address, or phone number.

Yes, the following data is a basic type, however when you registering yourself or change something you provide more details about such country, city and, timezone and birthday but we defined these as account details except credentials data. Username, password and token that replaces password after the first time you logged in are obviously part of credentials. All of these data types were found transferred over internet. These data items are good protected, because application has a pinning implementation meant to be a kind of protection to prevent MITM attacks. However, it can be patched or Twitter certificate stolen and neither strong nor best protection, plus OS doesn't provide good protection of network activities. So, average level is still 5.5 points and ‘good’ category of protection assigned to them. These data items have average level of protection 5.50 points (4 points of system protection, 7 points of own protection) ' Talking about same items stored locally, all items got 3.5 points – less than medium protection level (7 points of system, 0 points of own protection). To get this item you need root, however there some devices that allow rooting without user interaction.

Contact Information: You may use your contact information, such as your email address or phone number, to customize your account or enable Services, for example, for login verification, Twitter via SMS, or Digits by Twitter. If you provide Twitter with your phone number, you agree to receive text messages to that number from Twitter. When you use Digits by Twitter to sign up for or login to a third-party application, you are directing Twitter to share your contact information, such as your phone number, with that application.

This is information developers are talking is categorized as ‘Application Configs’ and repeats all items mentioned by developers. This category found transferred over internet with levels av.5.5 points (4 of system and 7 of own). Locally stored application config items stored without protection, so here the average level is 3.5 points (7 of system protection and 0 of own protection)

Additional Information: You may provide us with profile information to make public on the Twitter Services, such as a short biography, your location, your website, date of birth, or a picture. For certain profile information fields we provide you with visibility settings to select who can see this information in your profile. If you provide us with profile information and you don’t see a visibility setting, that information is public. You may choose to upload and sync your address book so that we can help you find and connect with users you know or help other users find and connect with you. We may later tailor content, such as making suggestions or showing user accounts and Tweets for you and other users based on imported address book contacts. You can delete your imported address book contacts at any time. Learn more here. If you email us, we may keep your message, email address and contact information to respond to your request. If you connect your account on our Services to your account on another service in order to cross-post between our Services and that service, the other service may send us your registration or profile information on that service and other information that you authorize. This information enables cross-posting, helps us improve the Services, and is deleted from our Services within a few weeks of your disconnecting from our Services your account on the other service. Learn more here. Providing the additional information described in this section is entirely optional.

Short biography, website, birthday, Media data is part of account details in terms of ‘PrivacyMeter’ and has same level. Location will be discussed below in paragraph “location”. Talking about same items stored locally, all items were found and got 3.5 points – less than medium protection level (7 points of system, 0 points of own protection).

Tweets, Following, Lists and other Public Information: Our Services are primarily designed to help you share information with the world. Most of the information you provide us through the Twitter Services is information you are asking us to make public. Your public information includes the messages you Tweet; the metadata provided with Tweets, such as when you Tweeted and the client application you used to Tweet; the language and time zone associated with your account; and the lists you create, people you follow, Tweets you mark as likes or Retweet, and many other bits of information that result from your use of the Twitter Services.

This is stream & social information meant to be part of user activity of his friends or subscribers activities. Most of these data items good protected (av. Level 5.5 points). Talking about same items stored locally, all items were found and got 3.5 points – less than medium protection level (7 points of system, 0 points of own protection).

Location Information: Twitter may receive information about your location. For example, you may choose to publish your location in your Tweets and in your Twitter profile. You may also tell us your location when you set your trend location on Twitter.com. We may also determine location by using other data from your device, such as precise location information from GPS, information about wireless networks or cell towers near your mobile device, or your IP address. We may use and store information about your location to provide features of our Services, such as Tweeting with your location, and to improve and customize the Services, for example, with more relevant content like local trends, stories, ads, and suggestions for people to follow. Learn more about our use of location here, and how to set your location preferences here.

Location is either social information linked to user tweets or user’s friends tweets. Frankly talking location links appears any time is possible and allowed in settings tab by user and corresponds to stream activity (tweets) or user location as part user profile (city & country). All location activities perform over network has a good level of protection (av. 5.5 points). No geo data was found stored locally (however it’s supposed to be) except contact geo information. Contact GEO items were found outside backup on iOS device and got 3.5 points – less than medium protection level

Log Data: When you use our Services, we may receive information (“Log Data”) such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device information (including device and application IDs), search terms, and cookie information. We receive Log Data when you interact with our Services, for example, when you visit our websites, sign into our Services, interact with our email notifications, use your account to authenticate to a third-party website or application, or visit a third-party service that includes a Twitter button or widget. We may also receive Log Data when you click on, view or interact with links on our Services, including links to third-party applications, such as when you choose to install another application through Twitter.

Log data, Device data, and analytics device details were also found in backup file (av. Level 3.5)

Commerce Services: You may provide your payment information, including your credit or debit card number, card expiration date, CVV code, and billing address (collectively, “Payment Information”), along with your shipping address, to complete a commerce transaction through our Services. To facilitate future purchases, we store your Payment Information (excluding CVV code) and shipping address, which you can remove from your account at any time using your account settings. We consider your Payment Information and shipping address private and do not make such information public. We collect and store information created by your purchases made through our Services (“Transaction Data”). Transaction Data may include the merchant’s name and the date, time, and amount of the transaction.

Recently, developers added new payment feature. All these data items were found locally stored in backup file, so average level is 3.5 points (no own protection). Card information stored in a short form without CVV code. Talking about network data items, you have to type CVV obviously and even developers don’t store it on their own servers, this data item is part of network activity but good protected (av.level 5.5). Additionally orders history & details here got same protections levels.

Thanks for staying with us, your Privacymeter Team!

#goodapp #privacypolicy #goodprotected #Privacy #appdata #leakage #Android #privacymeteronline #privacymeter #GooglePlay #Twitter