Cinemagia, program TV, cinema 5.0.9 (Android / Google Play)

175x175bb125

This application is available for Android. This app is designed to enrich media activities to bring features such as discovering Romanian cinemas and TV and buying movie tickets for other shows via your mobile phone. The latest build was released on September 29, 2016. Our latest check was performed on Nov 3th, 2016

Findings Summary

Our examination revealed total 19 items, where were 2 DAR items and 17 DIT items found. Among DAR items were found 0 worst items, 2 bad items, 0 good items, and 0 best items. Among DIT items were found 10 worst items, 0 bad items, 7 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Application Description

Let’s cite the description of this application below:

Descopera programul cinematografelor din Romania si programul tv complet. Cumpara bilete cinema si pentru alte spectacole direct pe telefonul mobil. Citeste cele mai noi stiri din lumea filmului. Vezi trailere si filmele ce vor aparea la cinema. Afla totul despre filmele si actorii tai preferati.
Sectiuni:

  • Program cinema
  • Program TV, filme la TV, acum la TV – posturi TV favorite
  • Timp liber – Evenimente in Bucuresti
  • Bilete cinema
  • Setare alerte program TV
  • Stiri
  • Detalii complete despre filme
  • Trailere HD si SD
  • Galerie foto filme si actori
  • Filme in curand la cinema
  • BoxOffice Romania

Permisiuni necesare:
YOUR LOCATION: COARSE (NETWORK-BASED) LOCATION + FINE (GPS) LOCATION – Determinarea locatiei este utilizata de widget pentru a afisa programul cinema din locatia curenta.
HARDWARE CONTROLS: CONTROL VIBRATOR – Telefonul va vibra cand se activeaza o notificare din programul TV.
NETWORK COMMUNICATION: VIEW NETWORK STATE – Se verifica conexiunea la internet pentru a putea afisa mesajul de Retry in caz de eroare.
SYSTEM TOOLS: AUTOMATICALLY START AT BOOT – In caz de restart al telefonului trebuie setate alertele existente in sistem.
IDENTITY: FIND ACCOUNTS ON THE DEVICE – Google Cloud Messaging (GCM) necesita un cont google pentru a putea trimite Push Notification – pentru versiuni mai vechi de Android 4.0.4

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Social Information.
The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Credentials (IDs) (‘Social Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (Tokens) (‘Social Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information, Social Information, Booking ‘n’ Purchases Information, Payment ‘n’ Transaction Information, Account Information, Device Information.
The average DIT value is 2.06 points (2.47 points of system protection and 1.65 points of own protection). It is less than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 0.00 points (0 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, data ‘as is’ and easily accessed (plaintext, no protection at all) where system protection level means – transferred (or supposed to be) ‘as is’ (plaintext) due to jailbreak/root or preinstalled non-trusted firmware, certificates, etc., and own protection level means – transferred as is, perhaps protection mode turns off or doesn’t exist or info reveal eventually.

– Session Details (‘Credentials Information’ Group) – Typical logged session data like connection activity, transferred data, perhaps credentials IDs, rarely access IDs, tokens or passwords. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Buyer’s Data (‘Booking ‘n’ Purchases Information’ Group) – Some info about buyers, such as Name, phone number, and email. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Session Details (‘Payment ‘n’ Transaction Information’ Group) – Typical logged session data like connection activity, transferred data, perhaps credentials IDs, rarely access IDs, tokens or passwords. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Orders & Reservation Details (‘Payment ‘n’ Transaction Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Card Full Information (‘Payment ‘n’ Transaction Information’ Group) – All details about card include short info, holder address, bank info and CVC, CVV, CVV2. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Orders & Reservation Details (‘Booking ‘n’ Purchases Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Orders & Reservation History (‘Booking ‘n’ Purchases Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Media Data (‘Account Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media Data (‘Social Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info grabbed from 3rd party social networks

Items’ GROUP #2 with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Credentials (IDs) (‘Social Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Contact Short Profile (‘Social Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (Tokens) (‘Social Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (Passwords) (‘Social Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.
This privacy policy published in Romanian, so we put below Google-Translated edition
Cinemagia – Terms and Conditions
Below are the terms and conditions of use of the site Cinemagia. For terms and conditions of use of the service purchase tickets, click here
General terms
Terms and conditions of use of the site http://www.cinemagia.ro (hereinafter “Terms and Conditions”) establishes the conditions under which any person may visit or access the website http://www.cinemagia.ro (hereinafter “Site “and / or” Movie “) or can be used in any way CineMagia service offered through the Site (hereinafter” service Movie “), and has a value of agreements concluded between iMedia Plus Group SA (Hereinafter “iMedia”), in its capacity as owner and administrator of the Site and the Provider Service Movie, and any person visiting or accessing the Site or who want to use in any manner or actually use the service CineMagia (hereinafter “User”). Not accepting these Terms and Conditions or any provision of these attract duty of that person to stop accessing the Site and access or visit further the Site, any page in it and / or use of the Service Movie and of any component thereof constitute a full and unconditional acceptance of the Terms and Conditions and any of its stipulations
Information note on the processing of personal data
By using the services offered by the site expreSSLy express consent for iMedia to process, store and transmit personal data provided by you carcater
According to Law no. 677/2001 on the protection of individuals with regard to the processing of personal cacracter and free movement of such data, amended and supplemented, and the Law. 506/2004 concerning the processing of personal data and privacy in communications sector computer aided manufacture, iMedia will manage safely and only for specified purposes personal data you provide about your purpose of data collection is: advertising, marketing and advertising and electronic communications services. Your refusal makes it impossible to benificia of services offered by iMedia. The information provided is intended for use by iMedia and are communicated only to the following recipients: iMedia contractual partners and other companies in the same group with iMedia
By registering on the site you will receive information about products, services, events etc. offered by iMedia and our business partners
According to Law no. 677/2001, have the right to access, right to the data, the right not to be subjected to an individual decision and the right to go to court. Also you have the right to oppose the processing of your personal data and request deletion. You agree that deleting your personal data will be followed by deleting your account in the system and the inability to apply to services and products offered by iMedia
To exercise these rights can make a request in writing that your requirement to send by mail to: Bucharest, Bd. Pierre de Coubertin no. 3-5, Office Building, 5th Floor, District 2
If some of your information is incorrect, please let us know as soon as possible
iMedia is registered as personal data operator no. 9762
Materials and information accessible through the Site
The content and graphic elements of the Site, including but not limited to, all text content and technical sources of all services and facilities present and future, unless it is expreSSLy mentioned another owner sources pages but any other material transmitted in any form and by the user (by direct visualization on site, newsletters etc.) belong iMedia and partners and represent the content of the site
Site content, regardless of where they are in the site and regardless of type, can be used exclusively for personal purposes. Any use of content by third parties for purposes other than personal, can be made only with written consent and express prior iMedia. Thus it is forbidden to copy, download, reproduce, publish, transfer, sale, distribution partial, full or modified content of this website or any part thereof for reasons other than personal, with the following exceptions:
is reproduced (non commercial websites, forums, newspaper articles, etc.) small excerpts from articles published (max. 2 paragraphs). Specify the source of information retrieved is mandatory following form: (Source: Movie – http://www.cinemagia.ro) allowed links to the site and specify the source of information will be made after every link or the end of the article as follows: ” information provided courtesy Movie “. iMedia reserves the right to sue any person and / or entity in any way violate the above provisions
Requests to use website content for any purpose other than personal can be made at: Bd. Pierre de Coubertin, no. 3-5, tower block, et. May sect. 2, Bucuresti, cod 021 901 specification “Attention editorial Movie, or by e-mail at contact@cinemagia.ro
Any person who sends in any way information or materials to the Site assume the obligation not to prejudice in any way the copyrights that a third party could invoke related material and information transmitted in any way to the site and people who ships in any way information or materials understand and accept that in any way breach this obligation can not engage in no way the responsibility of iMedia, but only the responsibility of those persons
Services cost: Buying tickets to cinemas
Users can benefit Cinemagia service surcharge on buying tickets at cinemas partner. For terms and conditions of this service, click here
limitation of liability
iMedia assumes no obligation and does not guarantee either express or implied, for the contents of the Site, the content supplied by its partners or users of the Site. iMedia will make all reasonable efforts to ensure the accuracy and confidence in and will try to correct errors and omissions as quickly as possible
However, iMedia is not responsible for inaccuracies, errors or omissions in the information provided by users. ExpreSSLy Site users agree to indemnify the iMedia any judicial or extrajudicial action that comes as a result of misuse or fraudulent use of the Site
To force majeure, iMedia and / or operators, directors, employees, subsidiaries, affiliates and its representatives is totally exonerated from responsibility. Cases of force majeure include, but are not limited to, errors in operating the technical equipment of iMedia, lack functioning internet connection, lack of functioning telephone connections, computer viruses, unauthorized access to systems Site, operation errors, strike, and so on
Users agree to protect and ensure the iMedia and / or operators, directors, employees, subsidiaries, affiliates and representatives harmless from and against any claims, demands, actions, charges, losses, damages, costs (including without any kind of limitation attorney’s fees), costs, judgments, decisions, fines, regulations or other obligations arising or related to any other action in connection with the User’s use of the service or any other aspect related Movie Movie Service
Modification of Terms and Conditions
iMedia has the right to modify in any way any provision of the Terms or terms and conditions in full, without any notice and without being obliged to meet any other formality Users. Any change is fully and unconditionally accepted by Site users by simply using or accessing any facility offered by site or service CineMagia or by accessing the Site, occurring any time after the operation change and not accept any changes attract obligation that User to stop accessing the Site and / or use the Service in any manner Movie
Applicable law. litigation
Rights and obligations of users of the Site and iMedia stipulated by Terms and Conditions and all legal effects they produce Terms and Conditions shall be construed and governed in accordance with Romanian law in force. Any dispute arising out of or relating to these Terms and Conditions shall be settled amicably. In case of impossibility to reach an agreement, the dispute will be settled by the competent Romanian court located within the area of Bucharest