eFax 4.10.0 (Android / Google Play) on Jan 2, 2017 (upd. Jan 4th)

175x175bb

This application is available for Android here. This app was designed to let customers send, receive, scan and sign faxes from their mobile phones or PC. The latest build was released on September 22, 2016.

Findings Summary

Our examination revealed total 31 items, where were 17 DAR items and 14 DIT items found. Among DAR items were found 0 worst items, 17 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 14 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Application Description

Let’s cite the description of this application below:

The eFax mobile fax app puts the power of a fax machine on your Android device. The award winning fax app is the most convenient way to send, receive, scan and sign faxes! The eFax® fax app is free to download and works for all eFax® subscribers.
New users can download the fax app for free and sign up for an eFax account through the app or via our website at: https://www.efax.com/efax-free
US users can test out eFax for free with limited faxes and features.
eFax Plus includes:

  • Choice of your own fax number
  • Receive 150 fax pages per month
  • Send 150 fax pages per month
  • Digitally sign faxes

Send, receive, scan and sign free faxes from your phone or tablet. Start faxing in minutes with eFax – the World Leader in Online Faxing.
Scan documents using your phone or tablet camera or upload existing ones to fax instantly. eFax® also allows you to upload files from your device, email or cloud storage (e.g., Google Drive, Box, Dropbox) and even prepare and send faxes with personalized cover pages!
Other features:

  • Prepare and add an electronic signature with a touch of your fingertip
  • Receive, edit and sign faxes – no printing required
  • Store and archive important faxes online with unlimited fax storage
  • Print faxes using Google Cloud Print
  • Forward documents by fax or email from your phone
  • Export faxes – download files and transfer PDF documents to your online cloud storage

This free fax app is the perfect companion to the eFax® email to fax/fax to email service. You can send and receive faxes by email on your desktop, laptop or mobile device. Other desktop features include large file sharing, unlimited online fax storage and eFax Messenger fax editing software.
We value your feedback. Please send your input and suggestions to android@efax.com

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Location ‘n’ Maps Information, Address Book ‘n’ Contact Information, Analytics ‘n’ Ads Information, Log Information.
The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Local ‘n’ Network Paths (‘Documents Information’ Group) – Paths about local or networks directories, folders, files. This data item related to mentioned group meant to be any documents stored locally, uploaded, downloaded, synchronized in any file format,

– Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Document Details (‘Message Information’ Group) – Common info about documents synchronized or stored locally (properties like size, date and time, etc.). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Device Details (‘Analytics ‘n’ Ads Information’ Group) – Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (Tokens) (‘Analytics ‘n’ Ads Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (IDs) (‘Analytics ‘n’ Ads Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Log Data (‘Log Information’ Group) – Logged any data as a solid file or multipart files. This data item related to mentioned group meant to be any information stored in local or network logs,

– Application Configs (‘Analytics ‘n’ Ads Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow to root your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information, Device Information, Account Information, Application Information, Documents Information, Message Information, Media Information, Location ‘n’ Maps Information, Address Book ‘n’ Contact Information.
The average DIT value is 5.07 points (6.00 points of system protection and 4.14 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Local ‘n’ Network Paths (‘Documents Information’ Group) – Paths about local or networks directories, folders, files. This data item related to mentioned group meant to be any documents stored locally, uploaded, downloaded, synchronized in any file format,

– Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Document Details (‘Message Information’ Group) – Common info about documents synchronized or stored locally (properties like size, date and time, etc.). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– URLs (‘Message Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– URLs (‘Media Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 6.00 points (6 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – SSL pinning (can be patched).

– Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you to install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.

[Dev Statement #1]>>

This Privacy Policy is effective on April 9, 2010 for current users, and upon acceptance for new users. This privacy policy (“Policy”) covers the information practices relating to the eFax Web Site. and all eFax Services. offered now or in the future

[PrivacyMeter comment #1]>>
The last update of Privacy Policy written by eFax Team is bound to the April 9th and cover all services including mobile applications

[Dev Statement #2]>>
During registration, you are required to provide contact information (such as name, phone number and email address), and we will provide you with a PIN

[PrivacyMeter comment #2]>>
Customers have to provide an email address and the name and pick up the preferred phone number. After that, customers received an email from eFax team with a PIN. The email contains login ID (phone number) & PIN that are credentials for an account. Sending PIN code via email leads to complex issues, when the email activity can be intercepted

Below you find a template of that email:

Dear <Customer’s first name>,
Thank you for choosing eFax Plus! Please save this email as you’ll need these details to update your account and edit your user settings
Account Details
Your eFax Login:PIN: Receiving Faxes
Someone sends a fax to your eFax number
Your fax will arrive as an email from eFax
Open the email and your fax will be attached
Read, forward and/or file your fax
Sending Faxes
Create a new email
Address it to your recipient’s fax number, followed by “@efaxsend.com.”
Always include the country code even when faxing within the country
Attach the documents you want to fax
Click send. You’ll receive an email confirming your fax has been sent

[Dev Statement #3]>>
Quote about third party libraries

2. Use of Personally Identifiable Information.
g. Third-Party Intermediaries; Supplementation of Information
In order for the Company to properly fulfill its obligations to improve our Services and direct information to users about services that may be of interest to users, we may use third parties and may share users’ information with these third parties. For example, the Company verifies the billing address on all credit card transactions and may obtain credit reports for some corporate users. We use an outside credit card processing company to bill users for Services. In addition, we may use third parties to host certain portions of our Site, to fulfill certain requests for information from our users and to comply with legal requirements. In order to personalize a user’s experience and provide relevant offers from us or our third-party advertisers, we may share users’ information with third parties to learn more about users and their preferences. These companies are not to store or use personally identifiable information for any secondary purposes, and the information obtained from these third-party sources is maintained Privacy Policy

[PrivacyMeter comment #3]>>
Besides common clauses referring to compliance and law, there are two referring to the security and third party privacy. 2.g. describes exchanging data due to third party solutions implementation. Talking about analytics libraries, it doesn’t reveal much user information; it reveals only device details, application analytics configs, and analytics credentials.

[Dev Statement #4]>>
Quote about network security

4. Security
The Company takes every reasonable precaution to protect its users’ information. When our registration/order forms ask users to enter their personally identifiable information, that information is protected with encryption software called SSL (secure sockets layer). Any activities performed after you log into your account are also encrypted with SSL
While we use SSL encryption to protect personally identifiable information online, we also employ security measures to protect user information off-line. All of our users’ information, not just the personally identifiable information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerks or a Customer Service representative) are granted access to personally identifiable information. Finally, the Company servers that store personally identifiable information are in a secure environment

[PrivacyMeter comment #4]>>

Talking formally, this application has SSL mechanisms implemented in that application. Also, the application can validate an SSL connection and detected crafted certificate, however, that security feature is limited to perform checks by comparing SSL certificate with a list of installed certificates on the device including certificates added by the user and marked as trusted. In this case, MITM is possible to intercept data items in traffic. All data items found in research are affected to MITM with installing crafted certificate. The crafted certificate can be either installed by the user or be already installed on the device and expired. The first case divides into parts when user knowingly installs the certificate or someone makes him install it by misleading into change to access to the network. ‘Making someone to install’ is divide to the simple case to get access to the public network or serious one like in Kazakhstan (Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016, Government root SSL certificate possible vulnerabilities, Bug 1232689 – Add Root Certification Authority of the Republic of Kazakhstan (root.gov.kz), Mozilla – CA Program (Included Government of Kazakhstan roots)). The second case divides into parts when the certificate is preinstalled and expired or was revoked but not removed, or when the user got the firmware with a specially crafted certificate

[Dev Statement #5]>>

No statements about a protection of locally stored data

[PrivacyMeter comment #5]>>
All items found locally stored as is without protection and not accessed without a root.

[Statement #1 and comment #1]

[Solutions for Developers #1]>>
In general, the dev team should revise the policy

[Solutions for users #1]>>
Nothing required

[Statement #2 and comment #2]

[Solutions for Developers #2]>>
The dev team should implement receiving a code on the eFax website because it’s possible to build a more protected channel between the user and the site to prevent MITM than rely on email application as third party services

[Solutions for users #2]>>
Avoid using email application in the non-trusted network and check your device for installed user CA SSL certificates that marked as trusted. Many email applications can check fake crafted certificates but limited by comparing it with a list of installing on the device only. Also, you may use VPN solutions to prevent MITM or use Android 7

[Statement #3 and comment #3]

[Solutions for Developers #3]>>
The dev team should implement SSL Pinning in a way to trust only eFax SSL certificate. The certificate is easiest to pin. It is possible to fetch the certificate out of the band for the website, use openssl s_client to retrieve the certificate, etc. At runtime, the application retrieves the website or server’s certificate in the callback. Within the callback, the application compares the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function.

[Solutions for users #3]>>
Avoid using email and this application in the non-trusted network and check your device for installed user CA SSL certificates that marked as trusted. Many email applications can check fake crafted certificates but limited by comparing it with a list of installing on the device only. Also, you may use VPN solutions to prevent MITM or use Android 7

[Statement #4 and comment #4]

[Solutions for Developers #4]>>
Nothing required

[Solutions for users #4]>>
Nothing required

[Statement #5 and comment #5]

[Solutions for Developers #5]>>
The dev team should limit files shared over PC to image of faxes only and not expose all databases in original states, such as SQLite

[Solutions for users #5]>>
Customers should avoid rooting devices (1) or using devices (2) with a non-locked or unlocked bootloader to prevent leaks of local data items. The devices (2) provide the opportunity to perform a root without wiping device’s data and de-root the device back that grants access to the device data. Such feature is typical use cases for many devices (2) but also available in forensics software developed by Oxygen Software (actual news is on an official page Oxygen Software News)