Todoist: To-Do List, Task List 12.1.1 (Android / Google Play)

175x175bb (46)

This application is available for Android. This app is designed to be simple to-do list app where each task is bound to calendar event or activity. The latest build was released on May 30, 2017. Our latest check was performed on Apr 14th, 2017.

Findings Summary

Our examination revealed total 25 items, where were 13 DAR items and 12 DIT items found. Among DAR items were found 0 worst items, 11 bad items, 0 good items, and 1 best item. Among DIT items were found 0 worst items, 0 bad items, 12 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

Our users have big goals. They rely on their to-do list to keep up.

Join millions of people around the world who are accomplishing amazing things with Todoist – the beautifully simple to-do list and task manager built for the pace of modern life. Whether you need to collaborate with your team, keep track of your most important projects, or just remember to pay the rent, Todoist is there to help you achieve more, every day.

Praised as a life-changing app by The Guardian, USA Today, the New York Times, The Wall Street Journal, Forbes, Lifehacker and more, Todoist works seamleSSLy across 10+ different platforms in 20 languages so you can stay motivated and productive no matter where you are.

Manage your tasks from anywhere – even offline
Add, complete, and re-schedule tasks from your phone, tablet, desktop, browser, email, smartwatch and more – even offline! Enjoy an automatic, 24/7 sync across all your devices.

Plan ahead and never miss another deadline
Keep track of your important deadlines with natural language due dates, start/end dates, and recurring due dates. View and organize your to-dos for the day or week ahead.

Easy yet powerful organization
Take your to-do listing to the next level with sub-tasks, sub-projects, color-coded projects, and priority levels.

Seamless collaboration
Share projects, assign tasks, and add comments all within the app. Get instant notifications whenever your collaborators make a change.

Visualize your productivity
Use Todoist Karma to set weekly/monthly goals, accumulate points, and track your progress with beautiful graphs color-coded by project.

Use Todoist with all your favorite apps
Make your to-do list even more powerful with integrations for Google Drive, Newton by Cloud Magic, Toggl, IFTTT, and Zapier (just to name a few).

Built for Android
Take advantage of Android’s most innovative features with Todoist’s convenient widgets, actionable notifications, Google Now and DashClock integrations, inter-app sharing, and more. Add tasks, receive notifications, and view lists sent from the app right on your wrist with Todoist for Android Wear.

Boost your productivity with Premium

  • Set up and receive push notifications, email or SMS reminders based on your physical location or a specific due date and time.
  • Get even more organized using task notes, enhanced labels, and powerful filters.
  • Upload files, sound recordings and photos to your tasks from your computer, Dropbox, or Google Drive.
  • Add tasks by forwarding an email and access your to-do lists on your iCalendar.
  • Track and improve your productivity with extended Todoist Karma features.
  • Set reminders on your Android Wear smartwatch using voice commands.
  • Choose from 10 colorful themes to fit any mood and personality.
  • And much, much more!

 

❝This is one of the most complete task management platforms available and they hit that sweet spot of being good for both personal and business use.❞ — Android Authority
Please contact us directly if you need any kind of support: https://support.todoist.com

Have a look at how we use the permissions requested by the app: https://todoist.com/android_permissions.txt

We hope you love our app as much as our community and our team do! Download it today and let us know what you think.

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Analytics ‘n’ Ads Information, Events Information, Account Information.
The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Analytics Configs (‘Analytics ‘n’ Ads Information’ Group) – Different configuration files created by your app, perhaps app permissions referred to analytics group data. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Notes (‘Events Information’ Group) – Different notes stored locally or sync with server including all notes/tasks details. This data item related to mentioned group meant to be any events with details about event,

– GEO Data (‘Events Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any events with details about event,

– Address Data (‘Events Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any events with details about event,

– Calendar Events (‘Events Information’ Group) – Some info about calendar events like date and time and calendar body. This data item related to mentioned group meant to be any events with details about event,

– Account Data (‘Events Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any events with details about event,

– Credentials (IDs) (‘Account Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media URLs (‘Account Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Log Data (‘Analytics ‘n’ Ads Information’ Group) – Logged any data as a solid file or multipart files. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Application Events (‘Analytics ‘n’ Ads Information’ Group) – App events referred to user actions ‘n’ activities were done. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information, Account Information, Events Information, Tasks Information, Personal ‘n’ Private Information.
The average DIT value is 5.00 points (6.00 points of system protection and 4.00 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Device Data (‘Credentials Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Locale ‘n’ TimeZone (‘Credentials Information’ Group) – Details about your locale, languages, time zone, country and so on. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media Data (‘Account Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Tasks (‘Events Information’ Group) – Different tasks stored locally or sync with server including all notes/tasks details. This data item related to mentioned group meant to be any events with details about event,

– Calendar Events (‘Tasks Information’ Group) – Some info about calendar events like date and time and calendar body. This data item related to mentioned group meant to be any information referred to tasks, like a typical task manager,

– Messages (‘Tasks Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be any information referred to tasks, like a typical task manager,

– Tracked Data ‘n’ Favorites (‘Tasks Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any information referred to tasks, like a typical task manager,

– Personalization (‘Personal ‘n’ Private Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.