Alto – Email Organized for You 3.0.3 (iOS / App Store)

175x175bb (37)

This application is available for iOS. This app is designed to rethink a way of doing email, rearrange email into useful cards, and provid real-time updates for travel & shopping. The latest build was released on Jun 23, 2017. Our latest check was performed on May Oct 7th, 2016.

Findings Summary

Our examination revealed total 37 items, where were 18 DAR items and 19 DIT items found. Among DAR items were found 0 worst items, 10 bad items, 8 good items, and 0 best items. Among DIT items were found 0 worst items, 17 bad items, 0 good items, and 1 best item.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

Control. It’s not just for Janet Jackson anymore.
Alto hands you back the reigns to your inbox. Want to see all your file attachments, flight schedules or photos organized and in one place? No problem, Alto does it automatically for you. Want real-time alerts about package deliveries or flight changes? Rest easy. Alto’s got you covered.
Download Alto for free and say goodbye to digging through tons of email for that one message. No more losing track of order confirmations or flight updates. No more excuses for being late when you can call for a Lyft ride or Uber from right inside the app!
All Your Email Accounts, Together at Last
Alto keeps all your email accounts in one place—Gmail, Outlook, Yahoo!, iCloud, Hotmail, AOL Mail and even your corporate accounts. We support Microsoft Exchange and any account that uses IMAP.
Real-time Travel and Shopping Alerts
Whether you have a last-minute gate change or an important delivery gets delayed, Alto brings you alerts in a simple, easy-to-use format. View your latest orders and track your packages with the tap of a finger.
Dashboard’s Got You Covered
Alto’s Dashboard gives you a view of the most relevant and timely information in your inbox. Get helpful Cards for events, flight updates, order confirmations, shipments, hotel reservations and more. Find rental car locations and directions to the hotel, or book dinner reservations and a Lyft ride all without opening a single email!
One Calendar to Rule them All
Say adios to your other Calendar apps! We’ve expanded Alto’s Dashboard to include a Calendar that pulls all your meetings and appointments into one, easy-to-use view. Accept invites from your inbox or Dashboard, create and manage events from your work and personal calendars all from within Alto.
Your Emails, Organized
Alto automatically sorts and categorizes your email into Stacks, giving you one-click access to Unread, Starred or Snoozed messages, as well as Photos, File Attachments, Shopping, Travel, Finance, Social and more. You can even create custom stacks for people like your boss, parent or significant other.
Connect with Alexa and Slack
We love making new friends like Alexa and Slack, two of our tech favorites. We now have seamless integration with both of them. Ask Alexa (the Amazon Echo voice assistant) when your flight departs or your package arrives and Alto finds the answer for you. When you’re on Slack, you can access almost anything attached to your emails — photos, files, and more — and add it to your conversation without ever leaving Slack. All without opening a single email!
Make Your Life a Little Easier
By customizing message swipe actions like – archiving, snoozing, deleting, and more – you can get a handle on that backlog of email in no time at all.
Your Security Matters
Alto’s IMAP connection uses Secure Sockets Layer encryption (SSL) and performs authentication over a secure channel. Passwords are heavily encrypted. In other words, we help secure all your emails accessed through Alto.
Many More Features

  • Supports Gmail, Yahoo, Outlook.com, iCloud, AOL, Office365, Exchange and any other IMAP accounts
  • Supports English (US and UK), Spanish, French, German, Russian, Portuguese, Chinese (Traditional & Simplified), Japanese and Korean
  • Full calendar support
  • Full cloud syncing across multiple devices
  • Push Mail (if supported by provider)
  • Unified Inbox
  • Today Screen Widget
  • Tablet support (including iPad Pro keyboard shortcuts)
  • 3D Touch support
  • Rich Text composing
  • Snooze
  • Unsubscribe from unwanted emails
  • User created and fully customizable stacks
  • Access to contacts (device & supported accounts)
  • Attach any pictures or file from device or stacks
  • Share mail and stack content with any app on the device
  • TouchID protection
  • Cloud Storage access

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Application Information, Device Information, Credentials Information, Address Book ‘n’ Contact Information, Message Information, Media Information, Analytics ‘n’ Ads Information.
The average DAR value is 4.83 points (7.00 points of system protection and 2.67 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Locale ‘n’ TimeZone (‘Device Information’ Group) – Details about your locale, languages, time zone, country and so on. This data item related to mentioned group meant to be details about your device,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Local ‘n’ Network Paths (‘Message Information’ Group) – Paths about local or networks directories, folders, files. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Contact Short Profile (‘Message Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Message Preview (‘Message Information’ Group) – Preview of different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Document Details (‘Message Information’ Group) – Common info about documents synchronized or stored locally (properties like size, date and time, etc.). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments

Items’ GROUP #2 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.

– Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device,

– Analytics Configs (‘Analytics ‘n’ Ads Information’ Group) – Different configuration files created by your app, perhaps app permissions referred to analytics group data. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Application Events (‘Analytics ‘n’ Ads Information’ Group) – App events referred to user actions ‘n’ activities were done. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Log Data (‘Analytics ‘n’ Ads Information’ Group) – Logged any data as a solid file or multipart files. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Attachments (‘Message Information’ Group) – Either Raw or encoded attachments files. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Analytics ‘n’ Ads Information, Credentials Information, Account Information, Message Information, Address Book ‘n’ Contact Information, Application Information, Personal ‘n’ Private Information.
The average DIT value is 4.50 points (5.00 points of system protection and 4.00 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items with average value 4.50 points (5 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – bypassed by fake/stolen root certificates.

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Locale ‘n’ TimeZone (‘Analytics ‘n’ Ads Information’ Group) – Details about your locale, languages, time zone, country and so on. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Contact Short Profile (‘Message Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Contact Profile (‘Address Book ‘n’ Contact Information’ Group) – Full info about contacts including name email id, phone numbers, gender, linked accounts, geodata, stream and social activity. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Environment (‘Message Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Preview (‘Message Information’ Group) – Some pieces of info downloaded locally or to show only on display only like a preview of emails, social posts, documents, thumbnails, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Tracked Data ‘n’ Favorites (‘Message Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Message Preview (‘Personal ‘n’ Private Information’ Group) – Preview of different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Contact Short Profile (‘Personal ‘n’ Private Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Attachments (‘Message Information’ Group) – Either Raw or encoded attachments files. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments

Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.