Instagram 8.3 (iOS / App Store) on Jun 21, 2016
- privacymeteronline
- 21 июн. 2016 г.
- 16 мин. чтения

One more application we're going to examine today. This application is available for iOS here. This app provides feature to explore and share user's photo and videos, private messaging and improving media items by various filters. The latest build was released on Jun 20, 2016. Let's cite the description of this application below: ------------------------------------------- Instagram is a simple way to capture and share the world’s moments. Follow your friends and family to see what they’re up to, and discover accounts from all over the world that are sharing things you love. Join the community of over 400 million people and express yourself by sharing photos and videos from your day––whether it’s your morning routine or the trip of a lifetime.
Use Instagram to: • Edit and share photos with filters and creative tools to change brightness, contrast and saturation, as well as shadows, highlights, perspective and more. • Make your videos look cinematic with filters, custom-built stabilization and tools to combine multiple clips into one video. • Discover photos and videos you might like and follow new accounts in the Explore tab. • Send private messages, photos, videos and posts from your feed directly to friends with Instagram Direct. • Instantly share photos and videos on Facebook, Twitter, Tumblr and other social networks. • Use Handoff to switch between your Apple Watch and your iPhone.
-------------------------------------------
Protection levels.
Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Media Information, Address Book 'n' Contact Information, Social Information, Credentials Information, Account Information, Log Information. The average DAR value is 5.83 points (7.00 points of system protection and 4.67 points of own protection). It is higher than a typical value (3.5 points, where's 7 points of system protection and 0 points of own protection).
The full list of data items were found in this app with protection levels and short description is below:
Items #1 with average value 7.50 points (7 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, complianced but there are publicly known techniques to access the data where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - data is not available in backups. - Screen Snapshots ('Media Information' Group) - Screenshots of your device screen running certain apps (by default available for iOS device but happens for any 3rd party apps that have such features). This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Media Stream ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Log Data ('Log Information' Group) - Logged any data as a solid file or multiparts. This data item related to mentioned group meant to be any information stored in local or network logs, - Contact Short Profile ('Log Information' Group) - Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be any information stored in local or network logs, - Device Data ('Log Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be any information stored in local or network logs, - Environment ('Log Information' Group) - Different info about environment of you device incl. apps lists, device info, OS name and versions, updates, list of users, network details, etc.. This data item related to mentioned group meant to be any information stored in local or network logs, - Media URLs ('Log Information' Group) - URLs related to media info such as stream media or profile's media, etc.. This data item related to mentioned group meant to be any information stored in local or network logs
Items #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn't be accessed where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - stored as is. - Contact Short Profile ('Address Book 'n' Contact Information' Group) - Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media URLs ('Address Book 'n' Contact Information' Group) - URLs related to media info such as stream media or profile's media, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Access Permissions ('Social Information' Group) - List of permissions linked to access token used to get access to some features of service. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Credentials (IDs) ('Social Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc.
Also, keep in mind, using jailbroken device means the system protection level is 0 points and you're using out-of-dated iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.
Transferred data (Data-in-Transit, DIT). Transferred data groups include Credentials Information, Browser Information, Social Information, Application Information, Account Information, Media Information, Message Information, Address Book 'n' Contact Information, Device Information, Log Information, Personal 'n' Private Information, Location 'n' Maps Information. The average DIT value is 3.60 points (4.00 points of system protection and 3.20 points of own protection). It is less than a typical value (4 points, where's 4 points of system protection and 4 points of own protection).
The full list of data items were found in this app with protection levels and short description is below:
Items #1 with average value 4.00 points (4 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it's allowed only and may require user action where system protection case - informs if fake certificate imported into a device, and own protection case - bypassed by fake root certificates (doesn't check certificate path).
- Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Passwords) ('Credentials Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Tokens) ('Credentials Information' Group) - Different tokens used to get an access to your account except passwords but incl. app or 3rd party tokens, secret keys and etc. (usually give a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (IDs) ('Browser Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app, - Credentials (Passwords) ('Browser Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app, - Credentials (Tokens) ('Browser Information' Group) - Different tokens used to get an access to your account except passwords but incl. app or 3rd party tokens, secret keys and etc. (usually give a full access to your account). This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app, - Account Data ('Social Information' Group) - Basic info about account like name, list of subaccount (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Stream ('Account Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - URLs ('Media Information' Group) - Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Messages ('Social Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Messages ('Message Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Contact Short Profile ('Message Information' Group) - Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Media URLs ('Message Information' Group) - URLs related to media info such as stream media or profile's media, etc.. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Media URLs ('Address Book 'n' Contact Information' Group) - URLs related to media info such as stream media or profile's media, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Contact Profile ('Address Book 'n' Contact Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Device Data ('Device Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be details about your device, - Environment ('Device Information' Group) - Different info about environment of you device incl. apps lists, device info, OS name and versions, updates, list of users, network details, etc.. This data item related to mentioned group meant to be details about your device, - Log Data ('Log Information' Group) - Logged any data as a solid file or multiparts. This data item related to mentioned group meant to be any information stored in local or network logs, - Account Details ('Account Information' Group) - Full info about your account incl. account membership, expiration, profile, linked data and account, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Tracked Data 'n' Favourites ('Account Information' Group) - Any kind of favourites data or tracked data marked as desirable by users and for users (Like is that user is on fb messenger, viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Personalization ('Personal 'n' Private Information' Group) - Info describes user preferences, favourites, tracked data, search requests, suggestions, etc.. This data item related to mentioned group meant to be any kind of personal and private info not grabbed from the 3rd party social networks or your ids, - Media Data ('Location 'n' Maps Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc., - Meta ('Location 'n' Maps Information' Group) - Any info that gives extra data like EXIF. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc.
Items #2 with average value 2.00 points (4 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, developers & vendors mistakes, no user action required where system protection case - informs if fake certificate imported into a device, and own protection case - transferred as is, perhaps protection mode turn off or doesn't exist or info revealed anyway.
- Media Data ('Media Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Media Data ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Media Stream ('Address Book 'n' Contact Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media Stream ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Media Data ('Message Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Tracked Data 'n' Favourites ('Media Information' Group) - Any kind of favourites data or tracked data marked as desirable by users and for users (Like is that user is on fb messenger, viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be lot of data like photo, image, video, audio
Keep in mind if you're using out-of-dated iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.
Below you find two infographics summarizing what we described above.
First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy
Full application privacy policy is available here.
1. INFORMATION WE COLLECT We collect the following types of information. Information you provide us directly:
Developers, provide customers with detailed privacy policy, so we can easily compare metioned data items with one we found
* Your username, password and e-mail address when you register for an Instagram account. * Profile information that you provide for your user profile (e.g., first and last name, picture, phone number). This information allows us to help you or others be "found" on Instagram. * User Content (e.g., photos, comments, and other materials) that you post to the Service.
Credentials information (aka username, password, email address and token that replaces password after first time use). All these items refer to the category 'items#1' mentioned above and assigned to the level 4 points (av 4 points, 4 of system and 4 of own). This level is less than medium protection level. It means data can be stolen that involves user to do some activities. Talking about the same credentials data in terms signing in & signing up via another social network and linked access permissions Application got after receiving a token, you should understand such action usually performs in browsers or by calling installed apps. If calls happen via browser, data protection level assumed av. 4 points (4 system & 4 own). Depend on browser it may inform user to install non-trusted certificates to perform action (typical case, 4 points of own protection), it may auto accepts/ignore any certificates without prompting (own protection 2 points), and prevent using (own protection 6 points) or installing non-trusted certificates (7 points of own protection). Browsers may implement its own crypto, so the level may be increased up to 8 points of own protection even. Anyway, we assumed typical case with preinstalled default OS browser. Another case is when installed third party application called instead of browser. Here we assume same level of own protection. For example, if app provides the protection level of own protection 5+ points, then 'browser information group' has the level 5+ points when user is signing in/up via another social network.
Profile information items except picture protected on level av. 4 points, while picture like other media data isn't protected at all. User media content as a part of stream isn't protected at all, while rest of content as part of stream as well such as message or Media URLs to non-protected photos found transferred over network is protected on level av.4 points.
It's funny 2 years ago Instagram promised to fix it. Instagram said it's moving to encrypted communications for its images by moving to HTTPS, the secure version of the standard used to transfer Web data over the Internet. "We're doing the technical work that's necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance," the company said in a statement. "We'll keep the Instagram community updated on our progress."
Credentials IDs, access permissions settings of alternative social network used to log in were found stored locally in backup and assigned to the less than a medium protection level av.3.5 points
Finding your friends on Instagram: * If you choose, you can use our "Find friends" feature to locate other people with Instagram accounts either through (i) your contacts list, (ii) third-party social media sites or (iii) through a search of names and usernames on Instagram. * If you choose to find your friends through (i) your device's contacts list, then Instagram will access your contacts list to determine whether or not someone associated with your contact is using Instagram. * If you choose to find your friends through a (ii) third-party social media site, then you will be prompted to set up a link to the third-party service and you understand that any information that such service may provide to us will be governed by this Privacy Policy. * If you choose to find your friends (iii) through a search of names or usernames on Instagram then simply type a name to search and we will perform a search on our Service. * Note about "Invite Friends" feature: If you choose to invite someone to the Service through our "Invite friends" feature, you may select a person directly from the contacts list on your device and send a text or email from your personal account. You understand and agree that you are responsible for any charges that apply to communications sent from your device, and because this invitation is coming directly from your personal account, Instagram does not have access to or control this communication.
'Address Book 'n' Contact Information' data items cover profile information, media data, media URLs and stream activities and protected in the same way like we describe above. Non-media content is protected on level av.4 points, while media content proection on level av.2 points because of 0 points of own protection.
Contact information and media URLs were found stored locally in backup and assigned to the less than a medium protection level av.3.5 points Media data was found outside the backup that requres rooting of the device
Analytics information: * We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your device or our Service, including the web pages you visit, add-ons, and other information that assists us in improving the Service. We collect and use this analytics information with analytics information from other Users so that it cannot reasonably be used to identify any particular individual User.
We didn't find any analytics data items stored locally or transferred over the network, but we hope to catch it next time
Log file information: * Log file information is automatically reported by your browser each time you make a request to access (i.e., visit) a web page or app. It can also be provided when the content of the webpage or app is downloaded to your browser or device. * When you use our Service, our servers automatically record certain log file information, including your web request, Internet Protocol ("IP") address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, and other such information. We may also collect similar information from emails sent to our Users which then help us track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Service.
Locally stored log data items include common log activities (app internal) plus information about contacts, device & environment plus media urls. Usually it looks like synchronize logs. The level assigned to these data items is av.7.5 points
Device identifiers: * When you use a mobile device like a tablet or phone to access our Service, we may access, collect, monitor, store on your device, and/or remotely store one or more "device identifiers." Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device's operating system or other software, or data sent to the device by Instagram. * A device identifier may deliver information to us or to a third party partner about how you browse and use the Service and may help us or others provide reports or personalized content and ads. Some features of the Service may not function properly if use or availability of device identifiers is impaired or disabled.
We found basic device data information like OS, version, device model name as well as environment information that may describes various device characteristics like screen size, network information and etc.
Metadata: * Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. * Users can add or may have Metadata added to their User Content including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. This makes your User Content more searchable by others and more interactive. If you geotag your photo or tag your photo using other's APIs then, your latitude and longitude will be stored with the photo and searchable (e.g., through a location or map feature) if your photo is made public by you in accordance with your privacy settings.
We confirm this, geo information was found indirectly as meta data and we also found all photos bound to cities and countries like it shown on the screenshot below

What missed Application Configuration information as an internal information and personalization of your search requests and bound activities. It protected in the same way as described above, non-media is better protected than media that transferred in plaintext
Comments