Privacy audit: PayByPhone
Here is a light privacy audit of the PayByPhone application.
PayByPhone is wholly-owned by Volkswagen Financial Services, part of the largest auto manufacturer in the world, with brands that include VW, Audi, Porsche, Bentley, Lamborghini and Ducati.
APK details:
- Version name
2.7.0.7180
- Version code
270718019
- Sha256sum
6b55cde4e97ca3e15dc49fb7b901803bfecf2804c793df656d66488d9a6222f4
- εxodus report
The static analysis issued by εxodus reports the following trackers:
- AppsFlyer
- Areametrics
- Braze
- Google Ads
- Google Analytics
- Google CrashLytics
- Google DoubleClick
- Google Firebase
- HockeyApp
Network analysis showed that Inrix tracker is missing.
Manual audit
Note: Running this application on an Android 6.0 x86 virtual machine does not allow me to completly use the application because it stays stuck on the Sign in screen which is blank.
After having dumped the entire network traffic, I listed below all collected and sent data.
TL;DR
This application sends:
- battery level
- device brand
- carrier name
- country
- device architecture
- device display details
- OS ABI
- list of sensors
- device fingerprint (computed)
- language
- device model
- SDK version
- AAID
- user activity in the application
- latitude
- longitude
to servers outside of EU.
Register on Google C2DM
Send AppsFlyer event
Leaking:
- battery level
- device brand
- carrier name
- country
- device architecture
- device display details
- ABI
- list of sensors
- device fingerprint (computed)
- language
- device model
- SDK version
- AAID
{
"advertiserId": "0ea76bd4-[edited]-9c0f-c6f6b3cf8e66",
"advertiserIdEnabled": "true",
"af_events_api": "1",
"af_preinstalled": "false",
"af_sdks": "0000000000",
"af_timestamp": "1515092290839",
"af_v": "9f7ed7faf25fade[edited]e37873ca2cd9d3",
"af_v2": "e33e800472a3[edited]e19029dfa5e7c49",
"android_id": "d7YcbGE48u8",
"app_version_code": "270718019",
"app_version_name": "2.7.0.7180",
"appsflyerKey": "cpWNw[edited]kKPqCY",
"batteryLevel": "99.0",
"brand": "Android-x86",
"carrier": "",
"counter": "1",
"country": "US",
"customData": "{\"customData\":\"241cc80f-3d3d-4e97-a90b-302ddeed0746\"}",
"date1": "2018-01-04_185801+0000",
"date2": "2018-01-04_185801+0000",
"device": "x86",
"deviceData": {
"arch": "",
"btch": "no",
"btl": "99.0",
"build_display_id": "android_x86-userdebug 6.0.1 MOB31T eng.cwhuang.20170424.005528 test-keys",
"cpu_abi": "x86",
"cpu_abi2": "",
"sensors": [
{
"sN": "Kbd Orientation Sensor",
"sT": 1,
"sV": "Android-x86 Open Source Project"
}
]
},
"deviceFingerPrintId": "ffffffff-bf3b-3817-ffff-ffffef05ac4a",
"deviceType": "userdebug",
"firstLaunchDate": "2018-01-04_185813+0000",
"iaecounter": "0",
"installDate": "2018-01-04_185801+0000",
"isFirstCall": "true",
"isGaidWithGps": "true",
"lang": "English",
"lang_code": "en",
"model": "VirtualBox",
"network": "unknown",
"operator": "",
"platformextension": "android_native",
"product": "android_x86",
"registeredUninstall": false,
"sdk": "23",
"timepassedsincelastlaunch": "-1",
"uid": "1515092[edited]2037792371"
}
Send event to Google Analytics
Leaking:
- user activity in the application
Send AppsFlyer stats
Leaking:
- AAID (Android Ad ID)
- device finger print (computed)
Send AppMesurement infos
Leaking:
- user activity in the application
\xcc\x05\x08\x01\x12R
\x06
\x02_c\x18\x01
\x02_o\x12\x04auto
\x06
\x02_r\x18\x01
\x08
\x04_pfo\x18\x00
\x08
\x04_sys\x18\x00
\x08
\x04_uwa\x18\x00
\x05_sysu\x18\x00\x12\x02_f\x18\x91\xbe\xa6\x94\x8c, \x00\x12"
\x02_o\x12\x04auto
\x07
\x03_et\x18\x01\x12\x02_e\x18\x91\xbe\xa6\x94\x8c, \x00\x12F
\x02_o\x12\x04auto
\x19
\x03_sc\x12\x12OnboardingActivity
\x0f
\x03_si\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x03_vs\x18\x8e\xd0\xa6\x94\x8c, \x00\x12T
\x02_o\x12\x04auto
\x08
\x03_et\x18\xdaA
\x19
\x03_sc\x12\x12OnboardingActivity
\x0f
\x03_si\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x02_e\x18\xe6\x91\xa7\x94\x8c, \x91\xbe\xa6\x94\x8c,\x12q
\x02_o\x12\x04auto
\x19
\x03_pc\x12\x12OnboardingActivity
\x0f
\x03_pi\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19
\x13
\x03_sc\x12\x0cMainActivity
\x0f
\x03_si\x18\x8a\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x03_vs\x18\xa5\x92\xa7\x94\x8c, \x8e\xd0\xa6\x94\x8c,\x1a\x14\x08\x91\xbe\xa6\x94\x8c,\x12\x04_fot \x80\xaf\xad\x94\x8c,\x1a\x0e\x08\x91\xbe\xa6\x94\x8c,\x12\x03_fi \x01 \x8b\xa8\xa7\x94\x8c,(\x91\xbe\xa6\x94\x8c,0\xa5\x92\xa7\x94\x8c,B\x07androidJ\x056.0.1R
VirtualBoxZ\x05en-us`<j\x0emanual_installr\x0ecom.paybyphone\x82\x01
2.7.0.7180\x88\x01\xd4W\x90\x01\xaf]\x9a\x01$0ea76bd4-3a79-432d-9c0f-c6f6b3cf8e66\xa0\x01\x00\xaa\x01 a61375351a6b2b04478a200badcc2faf\xb0\x01\xa5\xf2\xae\xfc\xf8\xaf\xfe\xaf\xb3\x01\xb8\x01\x01\xca\x01(1:1072860271242:android:ab3057c7d2dd15c6\xe0\x01\x01\xf2\x01\x0bd7YcbGE48u8\xf8\x01\xc3\xa8\x8b\x81\x01\x98\x02\xd0\xa3\xa6\xbb\xb2\xba\xce\x02\xa0\x02\x00
Get some data from Inrix
Leaking:
- latitude
- longitude
Send some data to Inrix
Leaking:
- AAID
- latitude
- longitude
- network connection type
- device information