One more application we're going to examine today. This application is available for iOS here. This social app is designed to help each other be in touch, exchange news, message, media and so on.. The latest build was released on Jun 24, 2016. Let's cite the description of this application below: ------------------------------------------- Keeping up with friends is faster than ever. • See what friends are up to • Share updates, photos and video • Get notified when friends like and comment on your posts • Watch and interact with live video • Play games and use your favorite apps

Read our Data Use Policy, Terms and other important info in the legal section of our App Store description.

Continued use of GPS running in the background can dramatically decrease battery life. Facebook doesn't run GPS in the background unless you give us permission by turning on optional features that require this.

-------------------------------------------

Protection levels.

Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Application Information, Device Information, Credentials Information, Account Information, Media Information, Social Information, Analytics 'n' Ads Information, Address Book 'n' Contact Information, Events Information. The average DAR value is 3.92 points (7.00 points of system protection and 0.84 points of own protection). It is higher than a typical value (3.5 points, where's 7 points of system protection and 0 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items #1 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn't be accessed where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - stored as is. - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Network Details ('Device Information' Group) - Extra info about network. This data item related to mentioned group meant to be details about your device, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Account Data ('Account Information' Group) - Basic info about account like name, list of subaccount (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Session Details ('Credentials Information' Group) - Typical logged session data like connection activity, transferred data, perhaps credentials IDs, rarely access IDs, tokens or passwords. This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Application Certificates 'n' Profile ('Application Information' Group) - Configuration files are known as certificates and profile for devices and apps incl. VPNs. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - URLs ('Account Information' Group) - Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Device Details ('Device Information' Group) - Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be details about your device, - Media Data ('Media Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Preview ('Social Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Contact Profile ('Media Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Preview ('Media Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Stream ('Social Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Media Data ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Device Data ('Analytics 'n' Ads Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be any kind of info related to analytics services like flurry, google analytics, etc. or advertisements, - Access Permissions ('Social Information' Group) - List of permissions linked to access token used to get access to some features of service. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Media Data ('Social Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Bookmark Data ('Social Information' Group) - Some info about bookmarks like date and time and body. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Contact Profile ('Address Book 'n' Contact Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Tracked Data 'n' Favourites ('Address Book 'n' Contact Information' Group) - Any kind of favourites data or tracked data marked as desirable by users and for users (Like is that user is on fb messenger, viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Calendar Events ('Events Information' Group) - Some info about calendar events like date and time and calendar body. This data item related to mentioned group meant to be any types of events with details about event, - Calendar Details ('Events Information' Group) - Details of calendar events like date and time, timezone, place, participants info, calendar body, notes, attachments, etc.. This data item related to mentioned group meant to be any types of events with details about event

Items #2 with average value 7.00 points (7 points of system protection, 7 points of own protection) means data protection levels have following definitions. Frankly talking, complianced but there are publicly known techniques to access the data where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - data is not available in backups.

- Screen Snapshots ('Media Information' Group) - Screenshots of your device screen running certain apps (by default available for iOS device but happens for any 3rd party apps that have such features). This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Account Details ('Account Information' Group) - Full info about your account incl. account membership, expiration, profile, linked data and account, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you're using out-of-dated iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Application Information, Credentials Information, Address Book 'n' Contact Information, Social Information, Location 'n' Maps Information, Events Information, Media Information, Account Information, Device Information, Browser Information, Analytics 'n' Ads Information. The average DIT value is 4.68 points (4.00 points of system protection and 5.35 points of own protection). It is higher than a typical value (4 points, where's 4 points of system protection and 4 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items #1 with average value 4.00 points (4 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it's allowed only and may require user action where system protection case - informs if fake certificate imported into a device, and own protection case - bypassed by fake/stolen root certificates (doesn't check certificate path). - Log Data ('Application Information' Group) - Logged any data as a solid file or multiparts. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Credentials (Passwords) ('Application Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Credentials (App Passwords) ('Application Information' Group) - Apps based passwords or PINs you're using to get an access to some features of services per your account for some apps while two-factor authentication turned on (usually can't used to your account). This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Transaction History ('Application Information' Group) - Some info about transactions were made like ID, date and time, and amount of payment. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Contact Short Profile ('Application Information' Group) - Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Credentials (IDs) ('Application Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Card Full Information ('Application Information' Group) - All details about card includes short info, holder address, bank info and CVC, CVV, CVV2. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Card Short Information ('Application Information' Group) - Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers

Items #2 with average value 5.00 points (4 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection case - informs if fake certificate imported into a device, and own protection case - ssl pinning (can be patched). - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Passwords) ('Credentials Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Tokens) ('Credentials Information' Group) - Different tokens used to get an access to your account except passwords but incl. app or 3rd party tokens, secret keys and etc. (usually give a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Stream ('Address Book 'n' Contact Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Stream ('Social Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Contact Profile ('Address Book 'n' Contact Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - GEO Data ('Location 'n' Maps Information' Group) - Any kind of geo info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc., - Calendar Events ('Events Information' Group) - Some info about calendar events like date and time and calendar body. This data item related to mentioned group meant to be any types of events with details about event, - Contact Profile ('Media Information' Group) - Full info about contacts incl. name email id, phone numbers, gender, linked accounts, geo data, stream and social activity. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Media Data ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Location History ('Location 'n' Maps Information' Group) - History list of addresses, geo data, etc.. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc., - Device Details ('Device Information' Group) - Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be details about your device, - Network Details ('Device Information' Group) - Extra info about network. This data item related to mentioned group meant to be details about your device, - Environment ('Device Information' Group) - Different info about environment of you device incl. apps lists, device info, OS name and versions, updates, list of users, network details, etc.. This data item related to mentioned group meant to be details about your device, - Contact GEO ('Address Book 'n' Contact Information' Group) - Linked info about owner and friends geo data stored as plain text or image location snapshots. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Media Data ('Media Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be lot of data like photo, image, video, audio, - Messages ('Social Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Place Details ('Location 'n' Maps Information' Group) - Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc., - Address Data ('Location 'n' Maps Information' Group) - Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any type of geo data from trackers, social networks, gps, etc., - Device Data ('Analytics 'n' Ads Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be any kind of info related to analytics services like flurry, google analytics, etc. or advertisements, - Access Permissions ('Social Information' Group) - List of permissions linked to access token used to get access to some features of service. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Media Data ('Social Information' Group) - Any kind of info like images, audios, videos, media notes, etc.. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Bookmark Data ('Social Information' Group) - Some info about bookmarks like date and time and body. This data item related to mentioned group meant to be info grabbed from 3rd party social networks, - Tracked Data 'n' Favourites ('Address Book 'n' Contact Information' Group) - Any kind of favourites data or tracked data marked as desirable by users and for users (Like is that user is on fb messenger, viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Calendar Details ('Events Information' Group) - Details of calendar events like date and time, timezone, place, participants info, calendar body, notes, attachments, etc.. This data item related to mentioned group meant to be any types of events with details about event

Items #3 with average value 2.00 points (4 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, developers & vendors mistakes, no user action required where system protection case - informs if fake certificate imported into a device, and own protection case - transferred as is, perhaps protection mode turn off or doesn't exist or info revealed anyway. - Preview ('Browser Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc.. This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app

Keep in mind if you're using out-of-dated iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Below you find two infographics summarizing what we described above.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Full application privacy policy is available here.

Developers wrote a detailed privacy policy, so let's examine it and compare with our findings

Things you do and information you provide. We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our Services, such as the types of content you view or engage with or the frequency and duration of your activities.

Things others do and information they provide. We also collect content and information that other people provide when they use our Services, including information about you, such as when they share a photo of you, send a message to you, or upload, sync or import your contact information.

All of these data items are part of big information set includes steam, message, addressbook, geo & location, media data, bookmarks, favourite items, calendar items and etc. All these data items are good protection (own protection is 6 points, av.5) in case of network items. Unless we're talking about previews and http links as part of stream or messages. This information isn't protected (plaintext in other words). Everything mentioned here except account details were found in backup file, so we assigned to the account details 7 points and av. 3.5 for the rest information

Your networks and connections. We collect information about the people and groups you are connected to and how you interact with them, such as the people you communicate with the most or the groups you like to share with. We also collect contact information you provide if you upload, sync or import this information (such as an address book) from a device.

Basically it's about address book and contact information that good protected (own protection level equals 6 point, sav.5). However, it might be surprised but this application provide a way to reveal your friends' info via app settings. When you proceed settings menu to assign or review friends who're your security saviors in case if you can't log in, this is moment when data about your friends can stolen, including who of them has because your security saviors. So, here we assigned only 4 points to these data items

Information about payments. If you use our Services for purchases or financial transactions (like when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. This includes your payment information, such as your credit or debit card number and other card information, and other account and authentication information, as well as billing, shipping and contact details.

Unfortunately, these data items were appears first in application settings that is medium protected (average level) than rest part of application, so it means key items about your payment method incl. card CVV can be stolen when you link cards

Device information. We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you’ve granted. We may associate the information we collect from your different devices, which helps us provide consistent Services across your devices. Here are some examples of the device information we collect: * Attributes such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers. * Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals. * Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.

We found this information and defined it into groups below: - Network Details ('Device Information' Group) - Device Data ('Analytics 'n' Ads Information' Group) - Environment ('Device Information' Group) All data types if it is transmitted over network is good protected (SSL pinning, HSTS, own protection level equals 6 points, av.5) and if it is stored locally is strong protected (not stored in backup and required jailbreak, own protection level equals 7 points)

What missed by developers in Privacy Policy.

Not mentioned application config data aka settings menu protected on medium (average) level - 4 points. And indirectly mentioned credentials as part of section 'information what you provide'. Basically credentials are good protected like other part of application, however, user password is bad protected (av. level 4 points) if you changing it over menu settings in mobile application. This way, intruder can steal it.

Thanks for staying with us, your Privacymeter Team!

#Privacy #appdata #privacymeteronline #privacymeter #privacypolicy #leakage #AppStore #iOS #Facebook #averageapp #mediumprotected