Flights, Hotels – Anywayanyday (Android / Google Play)

175x175bb (1)

This application is available for Android. This app is designed to find the flights combining searching results from ~800 airlines and 330,000 hotels. The latest build was released on June 11, 2017. Our latest check was performed on Feb 10th, 2017

Findings Summary

Our examination revealed total 28 items, where were 11 DAR items and 17 DIT items found. Among DAR items were found 0 worst items, 11 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 17 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

Anywayanyday is a free application for Android smartphones and tablets from anywayanyday.com, an online service for buying air tickets and making hotel reservations all over the world. For your every request the system analyses offers from over 800 airlines and 330,000 hotels worldwide and finds the optimal ones. Searching, choosing and paying for an air ticket or a hotel take on average about three minutes.
Achievements
One of the best apps in 2013 and 2014 according to Google Play rating.
Short-list of the International World Summit Award Mobile — 2014.
Digital Communications AWARDS — 2015.
Winner of Apps Awards 2015 in “Best B2C solution”.
Functions
Ticket purchase and hotel booking:

  • Сonvenient search;
  • Voice data input;
  • Price caledar;
  • The flight options are filtered by price, departure time, arrival time, airports, transfers;
  • The accommodation options are filtered by price, accommodation type, stars, services;
  • Pre-booking and booking cancellation directly from the app;
  • Payment for air tickets with bank cards and in cash in mobile phone outlets;
  • Payment for air tickets to the airline directly;
  • Payment for hotels with bank cards;
  • Several discounts usable on the same order;
  • Flight itinerary and/or hotel voucher sent per email and texts with payment confirmation.Additional services:
  • Issue of insurance policies for travelers;
  • Issue of insurance policies against flight cancellation and for flight duration (while buying a ticket);
  • Possibility to buy an Aeroexpress train ticket while booking an air ticket to or out of Moscow;
  • bonus program from Anywayanyday.com.Personal account:
  • memory book;
  • order lists;
  • detailed order information including booked and issued insurance policies;
  • payment cards data;
  • your personal and profile data.

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Credentials Information, Visa ‘n’ Passport Information, Account Information, Financial Information, Analytics ‘n’ Ads Information, Personal ‘n’ Private Information, Location ‘n’ Maps Information, Booking ‘n’ Purchases Information.
The average DAR value is 3.59 points (7.00 points of system protection and 0.18 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Passport Details (‘Visa ‘n’ Passport Information’ Group) – Full info including name, number expiration, address, gender, birthday, country, family, etc., except biometric data. This data item related to mentioned group meant to be all details are part of passport, visa or another ids,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (Access IDs) (‘Analytics ‘n’ Ads Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually don’t give full access to your account because based on permissions linked to these access tokens). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Personalization (‘Personal ‘n’ Private Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Personalization (‘Location ‘n’ Maps Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Passport Details (‘Booking ‘n’ Purchases Information’ Group) – Full info including name, number expiration, address, gender, birthday, country, family, etc., except biometric data. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Application Configs (‘Analytics ‘n’ Ads Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements

Items’ GROUP #2 with average value 4.50 points (7 points of system protection, 2 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – key found for encryption suite.

– Card Short Information (‘Financial Information’ Group) – Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be any info that describe payments capabilities

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Device Information, Account Information, Credentials Information, Visa ‘n’ Passport Information, Analytics ‘n’ Ads Information, Travel Information, Booking ‘n’ Purchases Information, Personal ‘n’ Private Information, Location ‘n’ Maps Information, Payment ‘n’ Transaction Information.
The average DIT value is 5.00 points (6.00 points of system protection and 4.00 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Device Details (‘Device Information’ Group) – Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be details about your device,

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Passport Details (‘Visa ‘n’ Passport Information’ Group) – Full info including name, number expiration, address, gender, birthday, country, family, etc., except biometric data. This data item related to mentioned group meant to be all details are part of passport, visa or another ids,

– Credentials (Access IDs) (‘Analytics ‘n’ Ads Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually don’t give full access to your account because based on permissions linked to these access tokens). This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Travel Details (‘Travel Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Orders & Reservation Details (‘Booking ‘n’ Purchases Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Orders & Reservation History (‘Booking ‘n’ Purchases Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Personalization (‘Personal ‘n’ Private Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Personalization (‘Location ‘n’ Maps Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Card Full Information (‘Payment ‘n’ Transaction Information’ Group) – All details about card include short info, holder address, bank info and CVC, CVV, CVV2. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Birthday Details (‘Account Information’ Group) – Separately stored info about date or place of birthday (usually part of profile or grabbed from social networks). This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– GEO Data (‘Location ‘n’ Maps Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Passport Data (‘Account Information’ Group) – Some info including name, number, expiration. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.
This privacy policy published in Russian, so we put below Google-Translated edition.
Legal

Privacy Policy

This privacy policy of personal information applies to all information about the user, which is LLC “Bukbilet” and / or its affiliates, including all persons belonging to the same group with “Bukbilet” (hereinafter – the “personal data operator” or “Operator” ) can get while using http://www.anywayanyday.com site (hereinafter – the “site”) or mobile applications Anywayanyday (hereinafter – the “mobile application”)
Activating a user under “Privacy Policy” website and mobile applications (hereinafter – the “Agreement”) by affixing a special sign – “tick” on the checkout page is seen clearly as the acceptance of the proposed Agreement him, that is, the final agreement with all the terms of the proposed Agreement. In case of disagreement with the terms of the Agreement the user should refrain from using the Site and / or mobile applications
In the framework of this Agreement, “user personal data” means:
Any personal information that the user provides of themselves when logging in and / or in the process of booking and / or other services on the Site, or with the help of mobile applications, including, but not limited to, the following information: name, surname, patronymic, date birth, sex, citizenship, series, passport number, address of residence or registration, home or mobile phone, email address, etc., and the operator is entitled, but not obliged to verify the authenticity of the personal information provided by users, and does not control over their capacity. For providing false information the user is responsible themselves. Required to provide services information is highlighted in a special way. Other information provided by the user at his discretion
the data is automatically transmitted to the Site or mobile application in the course of their use with the help of the machine’s user software, including IP-address information from, the cookies have, on the user’s browser information (a program that allows you access to the site) , access, etc.;
other information about the user, the collection and / or distribution of which is defined in the regulations governing the provision of certain services via the Website or Mobile Application
The conclusion of this Agreement, the user, as well as persons in whose interests the user enters into this Agreement, express their written consent to the processing of the Operator and (or) services providers, provided via the Site or mobile applications, personal data for the following purposes:
implementation of this Agreement (including, depending on the services rendered, travel documents, booking rooms in accommodation facilities, data transmission to the consulate of a foreign country, airlines, airports and customs services, etc.);
communication with the user (including emergency) by means of notifications, requests and information concerning the use of the Website or Mobile Application, rendering provided by the Site or mobile application services, as well as processing requests and requests from users, sending email messages, as well as through sms and mms to confirm (or cancel) reservations, notification of a change in the flight schedule, changing the airport of departure / arrival, flight cancellation, changes to any other flight parameters, as well as any other events related to the provision of services within the framework of the use of the Site or mobile application;
improving the quality of the Site and / or mobile applications, ease of use, the development of new services;
sending messages advertising and informational e-mail, as well as through sms and mms, targeting advertising materials;
conducting statistical and other studies based on anonymous data;
User’s personal data includes any action (operation) or a set of actions (operations) performed with the use of automation equipment or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change) , extraction, use, transfer (distribution, provision of access), including cross-border transfer, depersonalization, blocking, deletion, destruction of personal data
This consent is valid for an indefinite period. Action agreement is terminated on the basis of a written application, which shall be signed by the user and is handed or sent by registered letter with acknowledgment of receipt of “Bukbilet” at its location
With regard to users’ personal data confidentiality is maintained. The operator is entitled to transfer user’s personal data to third parties in the following cases:
Users have expressed their consent to such actions;
the transfer is necessary as part of the user to use the Website or Mobile Application or for the provision of services provided by them;
transmission is provided by the legislation of the Russian Federation in the procedure established by the legislation;
transfer of part of the sale or other transfer of the business (in whole or in part), and the acquirer to assume all the obligations to comply with this Agreement, in relation to personal data received by it users;
in order to ensure protection of the rights and legitimate interests of the possibility of the operator or third parties in cases where the user violates this Agreement
To protect users’ personal data against unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other illegal actions of third parties to them apply the necessary and sufficient organizational and technical measures. The user is informed that his IP-address during the use of the Website or Mobile Application automatically registered
In order to accelerate the execution of services, and for other purposes contemplated by this Agreement, accounting strings will be used (cookies), identifying each user as quickly as possible to improve speed and provide user services, as well as for the analysis of data contained in the accounting lines (cookies)
The operator does not control and is not responsible for third-party websites to which the user can go to the links available on the website or mobile application
This Agreement may be changed without prior notice or consent of the user. The new version of the Agreement shall enter into force upon its placement, unless otherwise provided by the new version of the Agreement
This Agreement and the relationship between users and operators, arising from its use are regulated by the legislation of Russian Federation