AlterGEO 4.6 (iOS / App Store)

This application is available for iOS. This app is designed to make your city more friendly and visiting places even more interesting and fun. The latest build was released on May 22, 2014. Our latest check was performed on May 17th, 2017

Findings Summary

Our examination revealed total 49 items, where were 16 DAR items and 33 DIT items found. Among DAR items were found 0 worst items, 9 bad items, 7 good items, and 0 best items. Among DIT items were found 30 worst items, 3 bad items, 0 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Application Description

Let’s cite the description of this application below:

AlterGEO is a simple way to make your city more friendly and visiting places even more interesting and fun. Hundreds of thousands already use AlterGEO to quickly find places of interest, share their opinions with friends and get discounts at the places they visit.
With AlterGeo, you will be able to:

Quickly find the place you need

Share your opinions and photos with friends

Learn where your friends are now

Know what’s happening around you

Get discounts and bonuses in thousands of our partner cafes, restaurants and more

Complete interesting tasks and learn more about the places you visit

Always have a self-updating discount card in your pocket.

AlterGEO will help you find stuff in the city jungle:

Check in and add photos and comments to various places

Schedule your visits, and the app will remind you of your plans

Find places with discounts – there are lots of them, you are sure to find one nearby

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Media Information, Credentials Information, Social Information, Loyalty Information, Application Information, Account Information, Address Book ‘n’ Contact Information, Location ‘n’ Maps Information.
The average DAR value is 4.81 points (7.00 points of system protection and 2.63 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.

– Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Media Data (‘Address Book ‘n’ Contact Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Address Data (‘Account Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Place Details (‘Location ‘n’ Maps Information’ Group) – Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Address Data (‘Location ‘n’ Maps Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Media Data (‘Location ‘n’ Maps Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– GEO Data (‘Location ‘n’ Maps Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.

Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Social Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Account Data (‘Loyalty Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– GEO Data (‘Account Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media URLs (‘Account Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Analytics ‘n’ Ads Information, Credentials Information, Account Information, Browser Information, Social Information, Address Book ‘n’ Contact Information, Media Information, Events Information, Loyalty Information, Location ‘n’ Maps Information, Payment ‘n’ Transaction Information, Financial Information.
The average DIT value is 0.41 points (0.45 points of system protection and 0.36 points of own protection). It is less than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 0.00 points (0 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, data ‘as is’ and easily accessed (plaintext, no protection at all) where system protection level means – transferred (or supposed to be) ‘as is’ (plaintext) due to jailbreak/root or preinstalled non-trusted firmware, certificates, etc., and own protection level means – transferred as is, perhaps protection mode turns off or doesn’t exist or info reveal eventually.

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media Data (‘Social Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Contact Profile (‘Address Book ‘n’ Contact Information’ Group) – Full info about contacts including name email id, phone numbers, gender, linked accounts, geodata, stream and social activity. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Contact Social (‘Address Book ‘n’ Contact Information’ Group) – Some info about social account, connections and perhaps social activity. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Contact GEO (‘Address Book ‘n’ Contact Information’ Group) – Linked info about owner and friend’s geodata stored as plain text or image location snapshots. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Stream (‘Social Information’ Group) – Any social or another stream activity including posts, walls, etc. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Stream (‘Address Book ‘n’ Contact Information’ Group) – Any social or another stream activity including posts, walls, etc. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Place Details (‘Address Book ‘n’ Contact Information’ Group) – Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Place Details (‘Social Information’ Group) – Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– GEO Data (‘Social Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Media URLs (‘Address Book ‘n’ Contact Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Place Details (‘Media Information’ Group) – Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Stream (‘Events Information’ Group) – Any social or another stream activity including posts, walls, etc. This data item related to mentioned group meant to be any events with details about event,

– GEO Data (‘Loyalty Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Place Details (‘Loyalty Information’ Group) – Any info about public place (city, country, address, contacts) stored in text or media file format. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Address Data (‘Loyalty Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Messages (‘Location ‘n’ Maps Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Account Data (‘Payment ‘n’ Transaction Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Account Data (‘Financial Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info that describe payments capabilities,

Items’ GROUP #2 with average value 4.50 points (5 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – bypassed by fake/stolen root certificates.

– Credentials (IDs) (‘Browser Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Credentials (Passwords) (‘Browser Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Credentials (Tokens) (‘Browser Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app

Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.
This privacy policy published in Russian, so we put Google-Translated edition below
Terms of use
1. Acceptance of the terms
“Vay2GEO” LLC (the “Company” or “Wi2GEO”), which owns the site AlterGEO.ru and operating under the trademark “AlterGEO”, provides its services on terms which are the subject of this User Agreement (hereinafter – the “Agreement”). This Agreement may be amended by the Company at any time without prior notice. The current version of this Agreement located at: http://alterGEO.ru/agreement/. Breach of the Agreement may result in cancellation of registration
2. Description of Services
AlterGEO is a social service for communication and navigation in urban environments, using any device equipped with WiFi or GSM or GPS and allows to determine the location, search for places, friends, routes (hereinafter – the “Services”), for which uses a browser or specialized client applications (hereinafter – the “ON” or software). After registration AlterGEO each user receives the software required for the functioning of the system
3. Obligations of the registration
To create an account, the user needs to register and confirm the data. During registration the user is required in their respective fields to provide accurate, complete and current information about yourself. If, after the registration of this information changes, you agree to update it as soon as possible. AlterGEO has the right to delete the account, or freeze (suspend access to it), if you have any reason to suspect that the information provided by the user is not complete, accurate or up to date. Register users who have not attained the age of 18, is only possible under the supervision of a parent or legal guardian; at the same time may require additional steps for age verification
4. Exclusion of liability and compensation for damages
User agrees to indemnify, defend and hold harmless AlterGEO, as well as his all associates and affiliates, its affiliated companies and subsidiaries as well as employees, agents, co-owner of the trademark and other partners from any third party claims, including attorneys’ fees, arising from third parties and (or) due to the use of and services provided AlterGEO, non-compliance by the user of this Agreement or the breach by the user any other rights of third parties, regardless of whether you are a registered user or not. The user bears full personal responsibility when using the Services, including, but not limited to, payment of the cost of access to the Internet in the course of such use
5. Special notes for the international use of the services
Recognising the international nature of the Internet, the user assumes responsibility for compliance with all local regulations and laws relating to a user’s network
6. General provisions on the use of services and information storage
User acknowledges that AlterGEO has the right to send him an e-mail message regarding the use of the Services if necessary. However AlterGEO will never request such a letter confirming information containing personal information or information related to the access to the user account. The user also agrees and acknowledges that AlterGEO may impose additional restrictions on the use of the Services, as well as to change these limits at any time. The user also agrees that transmitting any information directly to the Company, and (or) with the services provided by AlterGEO and (or) on AlterGEO servers, the user transmits Companies are exclusive and non-exclusive rights to such information in full
7. Changes to terms of service
AlterGEO reserves the right at any time to change the Terms of Service or any part thereof, or even stop (permanently or temporarily) access to the Service, or any portion thereof without notice. The user also agrees that AlterGEO does not bear any responsibility to the User and (or) any third party for any modification, restriction or termination of your access to the Service
8. The ban on the resale of services
The User agrees not to reproduce, copy or duplicate, sell, resell the Service or any part thereof, as well as not to exploit any part of the Services in any other manner, as well as access to the Service or use of the Service
9. Termination of Account
You agree that AlterGEO in its sole discretion may terminate the use of User’s account, delete, remove any content within the Service, for any reason, including, but not limited to, for non-use, or when there is suspicion of AlterGEO in violation of the letter or the spirit of the Agreement. In this case, at the discretion of AlterGEO also expire any oral, written or implied agreement related to the user account. Also, at any time AlterGEO may, in its discretion to cease providing all or part of the Services without notice. User agrees that any restriction of access to the Service under this Agreement may be made without prior notice, and confirms that AlterGEO may at any time suspend, deactivate or delete your account or terminate access to it. You agree that AlterGEO will not bear any responsibility for the restriction or termination of your access to the Service to the User or any third party. Funds deposited for the use of paid services, and services, will not be returned
10. Advertising
You understand and agree that the Service or any portion thereof may be accompanied by advertising and that such advertising is required to provide the Service AlterGEO. The user also undertakes not to restrict the display of such advertising or announcements via changes in HTML / CSS or other means. Using the Services, User acknowledges the right AlterGEO place such advertising without prior notice and without any compensation to the user or other users. The nature of the placement and number of advertisements displayed in AlterGEO, define and modify the Company’s discretion. Correspondence and business relations with advertisers or participation in promotions conducted by advertisers, whether through the Service, including payment, delivery, including conditions, warranties and presentation of the relevant goods or services referred to or found as a result of those relationships, create rights and obligations solely between the user and the advertiser. You agree that AlterGEO does not bear any liability or any responsibility for causing any losses or damages incurred as a result of interaction with advertisers and (or) the presence of advertising on the Services
11. Links
In the service, as well as on the sites and resources related thereto of third parties may appear links to other websites or resources. Since AlterGEO no control over such sites and resources, the User acknowledges and agrees that AlterGEO is not responsible for the availability of such sites or resources, as well as for the content, advertisements, materials, goods and services available on such sites or resources. The user also agrees that AlterGEO not responsible for and has no direct or indirect liability in connection with any possible or loss or damage arising in connection with any content, goods or services available on or obtained through such sites or resources
12. Property rights AlterGEO
User acknowledges and agrees that the Service and any software (hereinafter – software) used for their delivery, may contain confidential or other proprietary information (such as know-how), protected by the current legislation on the protection of intellectual property rights property, etc. All code and AlterGEO specifications, as well as all other program codes and specifications for the software and the functioning of the Services are subject to the relevant license. The user also acknowledges and agrees that the content of advertisements and information, or information obtained in the course of provision of the Services are protected by copyright and related rights, the laws on trademarks and service marks, patents, licenses and relevant for property protection legislation. Except as permitted AlterGEO or advertiser, the User agrees not to modify, rent, lease, not to give in rent, sell, assign, pledge, or modify or make derivative works based on the Services, services or software – entirely or in any part thereof. Confirmation of non-use of other people’s ideas and AlterGEO information will not carry out activities aimed at obtaining any confidential or proprietary information from users through the website or e-mail, except for the information necessary to maintain the health AlterGEO. Unless otherwise agreed in writing by the parties, any materials, ideas and information that the user has handed in any way AlterGEO, may be distributed or used AlterGEO and its affiliates, without any compensation, and liability to the User for any purpose whatsoever, including, but not limited to, developing, manufacturing and marketing products
13. Disclaimer of Warranties
User acknowledges and confirms fully that:
(A) uses the service entirely at your own risk. Services are provided “as is” and “what is”. AlterGEO emphasizes the absence of any warranty, expressed or not expressed, including, but not limited to, quality assurance services, their suitability for a particular purpose and non-infringement
(B) AlterGEO does not guarantee that
(1) The service will meet the user’s requirements
(2) services are delivered smoothly, on time, correctly and safely,
(3) The results obtained from the use of the services will be accurate or reliable,
(4) the quality of any products, services, information or other materials received or purchased by you through the service will meet the expectations of users and
(5) any errors in the software will be corrected
(C) loading and receiving other way any material from the use of the services performed at your own risk and you are solely responsible for any damage to your computer, data loss and other consequences
(G) no advice or information, obtained by you orally or in writing or by means of AlterGEO.ru services do not impose on the company guarantees, other than those specified in this agreement
14. Limitation of Liability
The user fully understands and agrees that AlterGEO not be liable for any direct, indirect, incidental, special, consequential, or awarded a penalty damages, including without limitation, lost profits, damage from use, loss of data or other intangible any kind of loss, damage to reputation and other losses (even if AlterGEO been advised of the possibility of such damages), arising from:
(i) use or inability to use the Service;
(ii) changes in the conditions of the agreement, in return for receiving data acquired by or through the Service, or as a result of concluded transactions, messages and information received from or through the Service;
(iii) unauthorized access to user data or changes transmitted by the user or stored on a data server;
(iv) statements or conduct of any person in the service spaces;
(V) any other event that is relevant to the services rendered
15. Changes
AlterGEO may at any time revise this Agreement and, accordingly, to amend the information on this page. When using the Services, User agrees that the User is to apply all the changes to the Agreement, the date of their publication on this page. The user should periodically visit this page to review the relevant provisions of the Agreement