Зарубежный помощник 1.0.54 (Android / Google Play)

175x175bb (40)

This application is available for Android. >>>> SHORT DESCRIPTION <<<<<. The latest build was released on March 30, 2017. Our latest check was performed on Feb 10th, 2017

Findings Summary

Our examination revealed total 20 items, where were 10 DAR items and 10 DIT items found. Among DAR items were found 0 worst items, 10 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 10 bad items, 0 good items, and 0 best items.

Below you find 1 infographic summarizing what we described above. Each image provides information about both DAR and DIT items.

Bad Items

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

Приложение «Зарубежный помощник» предназначено для взаимодействия МИД России с гражданами РФ за рубежом, их информирования о прогнозируемых или произошедших чрезвычайных ситуациях в стране пребывания. Кроме того, приложение позволяет получить доступ к необходимой справочной информации по странам, учреждениям МИД России за рубежом и к другим полезным сведениям.
Основные возможности приложения:

  • Связь по телефону с Ситуационно-кризисным центром МИД России (возможность совершить вызов или заказать обратный звонок).
  • Регистрация пребывания за границей РФ. Данная информация необходима МИД России для более эффективного реагирования на чрезвычайные и кризисные ситуации, в которых могут быть затронуты находящиеся за рубежом российские граждане, в частности, для рассылки пользователям экстренных уведомлений.
  • Просмотр новостей, заявлений МИД России и экстренных уведомлений (в том числе с привязкой к карте местности) о прогнозируемых и возникших чрезвычайных ситуациях, рекомендуемых действиях.
  • Экспресс-рассылка SMS-сообщений об экстренной ситуации на избранные номера. Осуществляется с помощью интерфейса приложения (список контактов родных и близких, которых пользователь желает оповестить, составляется им заранее).
  • Оповещение МИД России о чрезвычайной ситуации, свидетелем которой является пользователь.

В приложении присутствуют полезные сведения, доступные в офлайн-режиме:

  • Справочник российских загранучреждений (с адресами, телефонами, временем приема), с возможностью их отображения на интерактивной карте и осуществления поиска ближайших к пользователю.
  • Справочная информация об иностранных государствах (общие сведения, порядок въезда/выезда, визовый режим, санитарно-эпидемиологическая обстановка, нормы личной безопасности и рекомендации, касающиеся особенностей поведения, стиля одежды, законов).
  • Полезные советы для выезжающих за границу (подготовка к поездке, оформление документов, правовой справочник, способы избежать неприятных инцидентов во время путешествия).
  • Правила поведения в чрезвычайных ситуациях (действия в случае утраты загранпаспорта, ареста, при стихийных бедствиях и т.п.).

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Analytics ‘n’ Ads Information, Account Information, Credentials Information, Device Information, Visa ‘n’ Passport Information, Travel Information, Address Book ‘n’ Contact Information.
The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Credentials (Access IDs) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually don’t give full access to your account because based on permissions linked to these access tokens). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Passport Details (‘Visa ‘n’ Passport Information’ Group) – Full info including name, number expiration, address, gender, birthday, country, family, etc., except biometric data. This data item related to mentioned group meant to be all details are part of passport, visa or another ids,

– Travel Details (‘Travel Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Contact Profile (‘Travel Information’ Group) – Full info about contacts including name email id, phone numbers, gender, linked accounts, geodata, stream and social activity. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Device Information, Analytics ‘n’ Ads Information, Credentials Information, Application Information, News Information, Address Book ‘n’ Contact Information, Account Information, Visa ‘n’ Passport Information, Travel Information.
The average DIT value is 4.00 points (4.00 points of system protection and 4.00 points of own protection). It is less than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items with average value 4.00 points (4 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – informs if fake certificate imported into a device, and own protection level means – bypassed by fake/stolen root certificates.

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (Access IDs) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually don’t give full access to your account because based on permissions linked to these access tokens). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– URLs (‘Application Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– News (‘News Information’ Group) – Any news non-important data types like NY magazine’s news. This data item related to mentioned group meant to be typical news data like ny magazine,

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Passport Details (‘Visa ‘n’ Passport Information’ Group) – Full info including name, number expiration, address, gender, birthday, country, family, etc., except biometric data. This data item related to mentioned group meant to be all details are part of passport, visa or another ids,

– Travel Details (‘Travel Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Contact Profile (‘Travel Information’ Group) – Full info about contacts including name email id, phone numbers, gender, linked accounts, geodata, stream and social activity. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.