eFax 4.8.0 (iOS / App Store) on Jan 2, 2017 (upd. Jan 4th)
This application is available for iOS here. This app was designed to let customers send, receive, scan and sign faxes from their mobile phones or PC. The latest build was released on Nov 08, 2016.
Findings Summary
Our examination revealed total 31 items, where were 17 DAR items and 14 DIT items found. Among DAR items were found 8 worst items, 6 bad items, 3 good items, and 0 best items. Among DIT items were found 0 worst items, 14 bad items, 0 good items, and 0 best items.
Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.
Now let’s go deeper and examine each data item’s protection level.
Application Description
Let’s cite the description of this application below:
Turn your iPhone or iPad into a fax machine.
Fax anywhere and anytime with eFax – the world’s leading Internet Fax service. The app is compatible with any eFax subscription including an eFax Free plan (available with limited pages and only in the USA) or eFax Plus free trial. Send and receive faxes from your iPhone or iPad with ease. Simply upload documents using your email, device or cloud storage (e.g., Google Drive, Box, and Dropbox), or scan documents using your camera interface. Edit your documents if needed, add an optional personalized cover page and then tap send. You can even add an electronic signature with the touch of your finger. eFax will send you a confirmation when your fax is delivered and you’ll get timely alerts each time a new fax is received. The eFax app provides enhanced viewing options that let you navigate easily between documents, create folders, tag faxes and store them conveniently on your device or in the cloud. The search function will help you retrieve faxes quickly. Plus you can print faxes using AirPrint, and forward documents to other recipients by fax or email. eFax supports 20+ file types including PDF, DOC, PPT, JPEG, JPG and more. Put the power of a fax machine on your iOS device. The eFax app is compatible with any eFax® subscription. New users may register for an account in app or through the eFax website. eFax Plus subscription details: Monthly subscription fee of $16.99 (USD) includes 300 inbound/outbound fax pages per month and your choice of a local or toll-free fax number. Subscription fee will be charged through your iTunes account during the purchase confirmation. Auto-renewal may be turned off and subscriptions may be managed in your iTunes account after purchase. Your monthly subscription will automatically renew for $16.99 per month unless your subscription is canceled through the iTunes account and auto-renew is turned off at least 24-hours before the end of the current period. Renewed accounts will be charged $16.99 for renewal within 24-hours prior to the end of the current period. No cancellation of the current month is allowed during the active subscription period. Download the eFax® app and start faxing today. We value your feedback. Please send your suggestions to iOS@efax.com
Protection levels.
Locally stored data (Data-at-Rest, DAR).
Locally stored data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location ‘n’ Maps Information, Address Book ‘n’ Contact Information, Media Information, Analytics ‘n’ Ads Information. The average DAR value is 3.32 points (5.59 points of system protection and 1.06 points of own protection). It is less than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).
Items’ GROUP #1 with average value 2.00 points (4 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, developer and vendor mistakes, no user action required where system protection level means – non-jailbroken/-rooted device but data is available for sharing if developer granted it, and own protection level means – stored as is.
Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,
Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,
Local ‘n’ Network Paths (‘Documents Information’ Group) – Paths about local or networks directories, folders, files. This data item related to mentioned group meant to be any documents stored locally, uploaded, downloaded, synchronized in any file format,
Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,
Document Details (‘Message Information’ Group) – Common info about documents synchronized or stored locally (properties like size, date and time, etc.). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,
Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) –Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,
Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments
Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.
Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,
Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,
Device Details (‘Analytics ‘n’ Ads Information’ Group) – Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,
Credentials (Tokens) (‘Analytics ‘n’ Ads Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,
Credentials (IDs) (‘Analytics ‘n’ Ads Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisement
Items’ GROUP #3 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.
Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,
Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Application Configs (‘Analytics ‘n’ Ads Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements
Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.
Transferred data (Data-in-Transit, DIT).
Transferred data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Media Information, Location ‘n’ Maps Information, Address Book ‘n’ Contact Information.
The average DIT value is 4.00 points (4.00 points of system protection and 4.00 points of own protection). It equals to a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).
Items with average value 4.00 points (4 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – informs if fake certificate imported into a device, and own protection level means – bypassed by fake/stolen root certificates.
Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,
Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,
Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,
Local ‘n’ Network Paths (‘Documents Information’ Group) – Paths about local or networks directories, folders, files. This data item related to mentioned group meant to be any documents stored locally, uploaded, downloaded, synchronized in any file format,
Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,
Document Details (‘Message Information’ Group) – Common info about documents synchronized or stored locally (properties like size, date and time, etc.). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,
URLs (‘Message Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,
URLs (‘Media Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be any data like photo, image, video, audio,
Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,
Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) –Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,
Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,
Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments
Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.
Privacy Policy
Full application privacy policy is available here.
You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.
[Dev Statement #1]>> This Privacy Policy is effective on April 9, 2010 for current users, and upon acceptance for new users. This privacy policy (“Policy”) covers the information practices relating to the eFax Web Site. and all eFax Services. offered now or in the future
[PrivacyMeter comment #1]>> The last update of Privacy Policy written by eFax Team is bound to the April 9th and cover all services including mobile applications
[Dev Statement #2]>> During registration, you are required to provide contact information (such as name, phone number and email address), and we will provide you with a PIN
[PrivacyMeter comment #2]>> Customers have to provide an email address and the name and pick up the preferred phone number. After that, customers received an email from eFax team with a PIN. The email contains login ID (phone number) & PIN that are credentials for an account. Sending PIN code via email leads to complex issues, when the email activity can be intercepted
Below you find a template of that email:
Dear <Customer’s first name>, Thank you for choosing eFax Plus! Please save this email as you’ll need these details to update your account and edit your user settings Account Details Your eFax Login:PIN: Receiving Faxes Someone sends a fax to your eFax number Your fax will arrive as an email from eFax Open the email and your fax will be attached Read, forward and/or file your fax Sending Faxes Create a new email Address it to your recipient’s fax number, followed by “@efaxsend.com.” Always include the country code even when faxing within the country Attach the documents you want to fax Click send. You’ll receive an email confirming your fax has been sent
[Dev Statement #3]>> Quote about third party libraries
2. Use of Personally Identifiable Information. g. Third-Party Intermediaries; Supplementation of Information In order for the Company to properly fulfill its obligations to improve our Services and direct information to users about services that may be of interest to users, we may use third parties and may share users’ information with these third parties. For example, the Company verifies the billing address on all credit card transactions and may obtain credit reports for some corporate users. We use an outside credit card processing company to bill users for Services. In addition, we may use third parties to host certain portions of our Site, to fulfill certain requests for information from our users and to comply with legal requirements. In order to personalize a user’s experience and provide relevant offers from us or our third-party advertisers, we may share users’ information with third parties to learn more about users and their preferences. These companies are not to store or use personally identifiable information for any secondary purposes, and the information obtained from these third-party sources is maintained Privacy Policy
[PrivacyMeter comment #3]>> Besides common clauses referring to compliance and law there are two referring to the security and third party privacy. 2.g. describes exchanging data due to third party solutions implementation. Talking about analytics libraries, it doesn’t reveal much user information; it reveals only device details, application analytics configs, and analytics credentials.
[Dev Statement #4]>> Quote about network security
4. Security The Company takes every reasonable precaution to protect its users’ information. When our registration/order forms ask users to enter their personally identifiable information, that information is protected with encryption software called SSL (secure sockets layer). Any activities performed after you log into your account are also encrypted with SSL While we use SSL encryption to protect personally identifiable information online, we also employ security measures to protect user information off-line. All of our users’ information, not just the personally identifiable information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerks or a Customer Service representative) are granted access to personally identifiable information. Finally, the Company servers that store personally identifiable information are in a secure environment
[PrivacyMeter comment #4]>>
Talking formally, this application has SSL mechanisms implemented in that application. Also, the application can validate an SSL connection and detected crafted certificate, however, that security feature is limited to perform checks by comparing SSL certificate with a list of installed certificates on the device including certificates added by the user and marked as trusted. In this case, MITM is possible to intercept data items in traffic. All data items found in research are affected to MITM with installing crafted certificate. The crafted certificate can be either installed by the user or be already installed on the device and expired. The first case divides into parts when user knowingly installs the certificate or someone makes him install it by misleading into change to access to the network. ‘Making someone to install’ is divide to the simple case to get access to the public network or serious one like in Kazakhstan (Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016, Government root SSL certificate possible vulnerabilities, Bug 1232689 – Add Root Certification Authority of the Republic of Kazakhstan (root.gov.kz), Mozilla – CA Program (Included Government of Kazakhstan roots)). The second case divides into parts when the certificate is preinstalled and expired or was revoked but not removed, or when the user got the firmware with a specially crafted certificate
[Dev Statement #5]>> No statements about a protection of locally stored data
[PrivacyMeter comment #5]>> All items found locally stored as is without protection and not accessed without a jailbreak for iOS 8.3 and higher. Some of them access with PC/Mac connection over iTunes or other device explorer software. It includes not only images of sent and received faxes. Some is not accessed via Backup files:
‘Screen Snapshots’ Data Items from ‘Media Information’ Group,
‘Credentials (Passwords)’ Data Items from ‘Credentials Information’ Group,
and ‘Application Configs’ Data Item from ‘Analytics’n’Ads Information’ Group
Rest data items are available in backup files
[Solutions for Developers #1]>> In general, the dev team should revise the policy
[Solutions for users #1]>> Nothing required
[Solutions for Developers #2]>> The dev team should implement receiving a code on the eFax website because it’s possible to build a more protected channel between the user and the site to prevent MITM than rely on email application as third party services
[Solutions for users #2]>> Avoid using email application in the non-trusted network and check your device for installed user CA SSL certificates that marked as trusted. Many email applications can check fake crafted certificates but limited by comparing it with a list of installing on the device only. Also, you may use VPN solutions to prevent MITM
[Solutions for Developers #3]>> The dev team should implement SSL Pinning in a way to trust only eFax SSL certificate. The certificate is easiest to pin. You can fetch the certificate out of the band for the website, have the IT folks email your company certificate to you, use openssl s_client to retrieve the certificate, etc. At runtime, you retrieve the website or server’s certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function
[Solutions for users #3]>> Avoid using email application in the non-trusted network and check your device for installed user CA SSL certificates that marked as trusted. Many email applications can check fake crafted certificates but limited by comparing it with a list of installing on the device only. Also, you may use VPN solutions to prevent MITM
[Solutions for Developers #4]>> Nothing required
[Solutions for users #4]>> Nothing required
[Solutions for Developers #5]>> The dev team should limit files shared over PC to image of faxes only and not expose all databases in original states, such as SQLite
[Solutions for users #5]>> Customers should avoid jailbreaking device or using outdated OS and connecting to PC/Mac. The outdated iOS older than 8.3 allows getting access via local connection to application files (application work folders) excluding keychain without jailbreak