Since now we're going to post our findings in two ways

- so called "Raw App' - means clean application level of data protection without operation system impact

- so called 'Env App' - means average value of operation system level of protection plus application level.

What does it mean to anyone?

RawApp results show how much effort was put by developers into customer data protection by themselves or by implementing OS offered mechanisms. Example, many application works over HTTPS, so it's very important to application to know if it works with trusted certificate (original server certificate). Sometimes, application didn't do that properly, but if it does, it mean developer implement his own validation or OS offered one. Another example, sandbox that might be broken by jailbreak or root doesn't belong to developers. It's OS (Vendors) one. So, when developers tell they rely on sandbox, they make their sign on lack of their own protection. However, developers may exclude your app data from backups. This is developer's effort and bring more points. When developers send information in plaintext, it means 0 points because there's no way to protection non-protectable information.

EnvApp results show average value of developers and OS Vendors effort. Example, sanbox. Google, Apple and other vendors provide customers this kind of protection, so it means your application level protection may be higher. However, different OS has different protection viewpoints. Apple and Google have a way to inform about untrusted certificate when we talk about transit data - equals 4 points, but Google provides to developers a way not to use system proxy settings and use app own or bypass them even. This 1 more point to Google and when developer knows about it and uses it, it bring more points to RawApp level. Same example with plaintext information meant 0 points is a case when both system & own values are 0, because no one can protection plaintext information unless we're on VPN. Using VPN shifts trustworthiness to another case that out of our scope of research

Let's compare two screens on worst items. First one is EnvApp, second is RawApp. Both Cricles and listbox items are differ. DAR level on Circle is more on EnvApp screen, and lower on RawApp that means app received points for OS sandbox, and you see no worst items among DAR items because average value of system DAR protection (sandbox) - 7 points and own - 0 points == 3.5 points

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you're using out-of-dated iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Keep in mind if you're using out-of-dated iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

#RawApp #EnvApp #leakage #appdata #AppStore #GooglePlay #iOS #Android