Here is a light privacy audit of the PayByPhone application.

PayByPhone is wholly-owned by Volkswagen Financial Services, part of the largest auto manufacturer in the world, with brands that include VW, Audi, Porsche, Bentley, Lamborghini and Ducati.

APK details:

  • Version name 2.7.0.7180
  • Version code 270718019
  • Sha256sum 6b55cde4e97ca3e15dc49fb7b901803bfecf2804c793df656d66488d9a6222f4
  • εxodus report

The static analysis issued by εxodus reports the following trackers:

  • AppsFlyer
  • Areametrics
  • Braze
  • Google Ads
  • Google Analytics
  • Google CrashLytics
  • Google DoubleClick
  • Google Firebase
  • HockeyApp

Network analysis showed that Inrix tracker is missing.

Manual audit

Note: Running this application on an Android 6.0 x86 virtual machine does not allow me to completly use the application because it stays stuck on the Sign in screen which is blank.

After having dumped the entire network traffic, I listed below all collected and sent data.

TL;DR

This application sends:

  • battery level
  • device brand
  • carrier name
  • country
  • device architecture
  • device display details
  • OS ABI
  • list of sensors
  • device fingerprint (computed)
  • language
  • device model
  • SDK version
  • AAID
  • user activity in the application
  • latitude
  • longitude

to servers outside of EU.

Register on Google C2DM

register_c2dm

Send AppsFlyer event

Leaking:

  • battery level
  • device brand
  • carrier name
  • country
  • device architecture
  • device display details
  • ABI
  • list of sensors
  • device fingerprint (computed)
  • language
  • device model
  • SDK version
  • AAID

appsflyer_event

{
    "advertiserId": "0ea76bd4-[edited]-9c0f-c6f6b3cf8e66",
    "advertiserIdEnabled": "true",
    "af_events_api": "1",
    "af_preinstalled": "false",
    "af_sdks": "0000000000",
    "af_timestamp": "1515092290839",
    "af_v": "9f7ed7faf25fade[edited]e37873ca2cd9d3",
    "af_v2": "e33e800472a3[edited]e19029dfa5e7c49",
    "android_id": "d7YcbGE48u8",
    "app_version_code": "270718019",
    "app_version_name": "2.7.0.7180",
    "appsflyerKey": "cpWNw[edited]kKPqCY",
    "batteryLevel": "99.0",
    "brand": "Android-x86",
    "carrier": "",
    "counter": "1",
    "country": "US",
    "customData": "{\"customData\":\"241cc80f-3d3d-4e97-a90b-302ddeed0746\"}",
    "date1": "2018-01-04_185801+0000",
    "date2": "2018-01-04_185801+0000",
    "device": "x86",
    "deviceData": {
        "arch": "",
        "btch": "no",
        "btl": "99.0",
        "build_display_id": "android_x86-userdebug 6.0.1 MOB31T eng.cwhuang.20170424.005528 test-keys",
        "cpu_abi": "x86",
        "cpu_abi2": "",
        "sensors": [
            {
                "sN": "Kbd Orientation Sensor",
                "sT": 1,
                "sV": "Android-x86 Open Source Project"
            }
        ]
    },
    "deviceFingerPrintId": "ffffffff-bf3b-3817-ffff-ffffef05ac4a",
    "deviceType": "userdebug",
    "firstLaunchDate": "2018-01-04_185813+0000",
    "iaecounter": "0",
    "installDate": "2018-01-04_185801+0000",
    "isFirstCall": "true",
    "isGaidWithGps": "true",
    "lang": "English",
    "lang_code": "en",
    "model": "VirtualBox",
    "network": "unknown",
    "operator": "",
    "platformextension": "android_native",
    "product": "android_x86",
    "registeredUninstall": false,
    "sdk": "23",
    "timepassedsincelastlaunch": "-1",
    "uid": "1515092[edited]2037792371"
}

Send event to Google Analytics

Leaking:

  • user activity in the application

event_ga

Send AppsFlyer stats

Leaking:

  • AAID (Android Ad ID)
  • device finger print (computed)

appsflyer_stat

Send AppMesurement infos

Leaking:

  • user activity in the application
    app-mesurement-1
\xcc\x05\x08\x01\x12R
\x06
\x02_c\x18\x01
\x02_o\x12\x04auto
\x06
\x02_r\x18\x01
\x08
\x04_pfo\x18\x00
\x08
\x04_sys\x18\x00
\x08
\x04_uwa\x18\x00
	
\x05_sysu\x18\x00\x12\x02_f\x18\x91\xbe\xa6\x94\x8c, \x00\x12"
\x02_o\x12\x04auto
\x07
\x03_et\x18\x01\x12\x02_e\x18\x91\xbe\xa6\x94\x8c, \x00\x12F
\x02_o\x12\x04auto
\x19
\x03_sc\x12\x12OnboardingActivity
\x0f
\x03_si\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x03_vs\x18\x8e\xd0\xa6\x94\x8c, \x00\x12T
\x02_o\x12\x04auto
\x08
\x03_et\x18\xdaA
\x19
\x03_sc\x12\x12OnboardingActivity
\x0f
\x03_si\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x02_e\x18\xe6\x91\xa7\x94\x8c, \x91\xbe\xa6\x94\x8c,\x12q
\x02_o\x12\x04auto
\x19
\x03_pc\x12\x12OnboardingActivity
\x0f
\x03_pi\x18\x89\xa6\x89\xe4\x84\xaa\xbb\xff\x19
\x13
\x03_sc\x12\x0cMainActivity
\x0f
\x03_si\x18\x8a\xa6\x89\xe4\x84\xaa\xbb\xff\x19\x12\x03_vs\x18\xa5\x92\xa7\x94\x8c, \x8e\xd0\xa6\x94\x8c,\x1a\x14\x08\x91\xbe\xa6\x94\x8c,\x12\x04_fot \x80\xaf\xad\x94\x8c,\x1a\x0e\x08\x91\xbe\xa6\x94\x8c,\x12\x03_fi \x01 \x8b\xa8\xa7\x94\x8c,(\x91\xbe\xa6\x94\x8c,0\xa5\x92\xa7\x94\x8c,B\x07androidJ\x056.0.1R
VirtualBoxZ\x05en-us`<j\x0emanual_installr\x0ecom.paybyphone\x82\x01
2.7.0.7180\x88\x01\xd4W\x90\x01\xaf]\x9a\x01$0ea76bd4-3a79-432d-9c0f-c6f6b3cf8e66\xa0\x01\x00\xaa\x01 a61375351a6b2b04478a200badcc2faf\xb0\x01\xa5\xf2\xae\xfc\xf8\xaf\xfe\xaf\xb3\x01\xb8\x01\x01\xca\x01(1:1072860271242:android:ab3057c7d2dd15c6\xe0\x01\x01\xf2\x01\x0bd7YcbGE48u8\xf8\x01\xc3\xa8\x8b\x81\x01\x98\x02\xd0\xa3\xa6\xbb\xb2\xba\xce\x02\xa0\x02\x00

Get some data from Inrix

Leaking:

  • latitude
  • longitude

inrix_data

Send some data to Inrix

Leaking:

  • AAID
  • latitude
  • longitude
  • network connection type
  • device information

inrix_event