Our examination revealed total 27 items, where were 10 DAR items and 17 DIT items. Among DAR items 0 best items found and among DIT items 12 best items found. Also 0 worst items found and 12 worst items found.

This application is available for Android here. This social app is only designed to help each other be in touch via messaging and calling comparing to Full Facebook App. The latest build was released on June 27, 2016. Let's cite the description of this application below: ------------------------------------------- Instantly reach the people in your life—for free. Messenger is just like texting, but you don"t have to pay for every message (it works with your data plan). Not just for Facebook friends: Message people in your phone book and just enter a phone number to add a new contact. Group chats: Create groups for the people you message most. Name them, set group photos and keep them all in one place. Photos and videos: Shoot videos and snap selfies or other photos right from the app and send them with one tap. Chat heads: Keep the conversation going while you use other apps. Free calls: Talk as long as you want, even with people in other countries. (Calls are free over Wi-Fi. Otherwise, standard data charges apply.) Even more ways to message: Bring your conversations to life with stickers. Preview your gallery photos and videos without leaving the conversation--then choose the perfect ones to send. Record voice messages when you have more to say. Extra features: Know when people have seen your messages. Forward messages or photos to people who weren"t in the conversation. Search for people and groups to quickly get back to them. Turn on location to let people know when you"re nearby. See who"s available on Messenger and who"s active on Facebook. Create shortcuts to get to any conversation right from your home screen. Turn off notifications when you"re working, sleeping or just need a break. Stay logged in so you never miss a message.

-------------------------------------------

Protection levels.

Locally stored data (Data-at-Rest, DAR). Locally stored data groups include Address Book 'n' Contact Information, Credentials Information, Account Information, Location 'n' Maps Information, Device Information, Application Information. The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where's 7 points of system protection and 0 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn't be accessed where system protection case - root/jailbreak is required but not possible without wiping device data, and own protection case - stored as is.

- Media Data ('Address Book 'n' Contact Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Account Data ('Account Information' Group) - Basic info about account like name, list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Media Data ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - GEO Data ('Location 'n' Maps Information' Group) - Any kind of GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any type of GEO data from trackers, social networks, GPS, etc., - Address Data ('Location 'n' Maps Information' Group) - Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any type of GEO data from trackers, social networks, GPS, etc., - Place Details ('Location 'n' Maps Information' Group) - Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be any type of GEO data from trackers, social networks, GPS, etc., - Media URLs ('Location 'n' Maps Information' Group) - URLs related to media info such as stream media or profile's media, etc. This data item related to mentioned group meant to be any type of GEO data from trackers, social networks, GPS, etc., - Device Data ('Device Information' Group) - Owner Device ID, Owner Device Name, Owner Device OS Name and Version. This data item related to mentioned group meant to be details about your device, - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers

Keep in mind if you're using some Android devices such Samsung or LG that allow to root your device without user action, the system level equals 0 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT). Transferred data groups include Address Book 'n' Contact Information, Call Information, Account Information, Application Information, Message Information, Browser Information, Credentials Information. The average DIT value is 4.35 points (4.00 points of system protection and 4.71 point of own protection). It is higher than a typical value (4 points, where's 4 points of system protection and 4 points of own protection).

The full list of data items were found in this app with protection levels and short description is below:

Items #1 with average value 2.00 points (4 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, developers & vendors mistakes, no user action required where system protection case - informs if fake certificate imported into a device, and own protection case - transferred as is, perhaps protection mode turn off or doesn't exist or info revealed anyway.

- Media Data ('Address Book 'n' Contact Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info stored locally, cached or transferred over the network and belong to this application if it's social even, - Preview ('Browser Information' Group) - Some pieces of info downloaded locally or to show only on display only like preview of emails, social posts, etc. This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app, - Stream ('Browser Information' Group) - Any kind of social or another stream activity incl. posts, walls, etc. This data item related to mentioned group meant to be any kind of info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app

Items #2 with average value 5.00 points (4 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection case - informs if fake certificate imported into a device, and own protection case - ssl pinning (can be patched). - Contact Short Profile ('Call Information' Group) - Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be any kind of call info stored, cached or transferred in plain text or media files, - Account Data ('Account Information' Group) - Basic info about account like name, list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Media Data ('Account Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential ids like email or username or phone number plus some more info depends on applications, - Application Configs ('Application Information' Group) - Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any kind of info related to app, app settings, incl. installed apps or installers, - Messages ('Message Information' Group) - Different types of messages, conversations except SMS, MMS but incl. recipient & sender IDs and attachments. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Call History ('Message Information' Group) - Some info about calls you made like phone number, name, date and time, and type of call (missed, placed, outgoing, etc.). This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Media Data ('Message Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - Call History ('Call Information' Group) - Some info about calls you made like phone number, name, date and time, and type of call (missed, placed, outgoing, etc.). This data item related to mentioned group meant to be any kind of call info stored, cached or transferred in plain text or media files, - Media Data ('Call Information' Group) - Any kind of info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any kind of call info stored, cached or transferred in plain text or media files, - Credentials (IDs) ('Credentials Information' Group) - Only account IDs like app or 3rd party user IDs incl. emails, phone number, usernames and etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Passwords) ('Credentials Information' Group) - Well known passwords or PINs you're using to get an access to your account (usually worse than tokens because gives a full access to your account). This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc., - Credentials (Activation IDs) ('Credentials Information' Group) - Two-factor activation code received in messages. This data item related to mentioned group meant to be any types of credentials incl. basic (ids only), passwords, tokens, etc.

Items #3 with average value 4.00 points (4 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it's allowed only and may require user action where system protection case - informs if fake certificate imported into a device, and own protection case - bypassed by fake/stolen root certificates (doesn't check certificate path).

- GEO Data ('Message Information' Group) - Any kind of GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments, - GEO Snapshots ('Message Information' Group) - Image based snapshots of GEO info referred to the places. This data item related to mentioned group meant to be all type of message, incl. sms, mms, social & im messages with or without attachments

Keep in mind if you're using out-of-dated Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Below you find two infographics summarizing what we described above.

First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found

Privacy Policy

Full application privacy policy is available here.

Developers wrote a detailed privacy policy, so let's examine it and compare with our findings. In case of facebook messenger app we found less information comparing to Full Facebook App.

Things you do and information you provide. We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our Services, such as the types of content you view or engage with or the frequency and duration of your activities.

Things others do and information they provide. We also collect content and information that other people provide when they use our Services, including information about you, such as when they share a photo of you, send a message to you, or upload, sync or import your contact information.

All of these data items are part of big information set includes steam, message, addressbook, GEO & location, media data, call items, calendar items and etc. All these data items are good protection (own protection is 6 points, av.5) in case of network items. Unless we're talking about previews and http links as part of stream or messages. This information isn't protected (plaintext in other words). However, geo data requires still installed certificate to decrypt the traffic, so it assigned to the level av.4 points (4 system, 4 own) Everything mentioned here except media data linked to your contacts from address book were found in backup file, so we assigned to the media data 7 points and av. 3.5 for the rest information. Also, application screenshots are only out of backup file for iOS case

Your networks and connections. We collect information about the people and groups you are connected to and how you interact with them, such as the people you communicate with the most or the groups you like to share with. We also collect contact information you provide if you upload, sync or import this information (such as an address book) from a device.

Basically it's about address book and contact information that good protected (own protection level equals 6 point, av.5). Unlike the full Facebook application we didn't 'setting section' that isn't protected much. To remind on full Facebook App you might be surprised to know this application provide a way to reveal your friends' info via app settings. When you proceed settings menu to assign or review friends who're your security saviors in case if you can't log in, this is moment when data about your friends can stolen, including who of them has because your security saviors. So, here we assigned to Full Facebook App only 4 points to these data items.

Information about payments. If you use our Services for purchases or financial transactions (like when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. This includes your payment information, such as your credit or debit card number and other card information, and other account and authentication information, as well as billing, shipping and contact details.

There's no this section for Messenger application (only Full Facebook App)

Device information. We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you’ve granted. We may associate the information we collect from your different devices, which helps us provide consistent Services across your devices. Here are some examples of the device information we collect: * Attributes such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers. * Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals. * Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.

We found this information not much information comparing with Full Facebook App and defined it into groups below: - Device Data ('Analytics 'n' Ads Information' Group) All data types if it is transmitted over network is good protected (SSL pinning, HSTS, own protection level equals 6 points, av.5) and if it is stored locally is strong protected (not stored in backup and required jailbreak, own protection level equals 7 points)

Thanks for staying with us, your Privacymeter Team!

#appdata #leakage #privacypolicy #Privacy #privacymeteronline #privacymeter #mediumprotected #averageapp #Android #GooglePlay #FacebookMessenger