Paris Metro Tracks and Trackers: Why is the RATP App leaking my private data?
▻https://team.inria.fr/privatics/paris-metro-tracks-and-trackers-why-is-the-ratp-app-leaking-my-private-da
The RATP is the French public company that is managing the Paris subway (metro). It provides a dedicated and very useful smartphone App. In particular, privacy policy of RATP’s iOS App (version 5.4.1) claims: “The services provided by the RATP application, like displaying geo-targeted ads, does not involve any collection, processing or storage of personal data” (translated from their privacy policy, in French). Below is the screenshot of RATP’s In-App privacy policy (in French):
Now, having read above the privacy policy of the App, would you believe the fact that MAC Address of your iPhone’s WiFi chip, your iPhone’s name, and the list of processes running on it (which potentially reveals a subset of Apps installed on the smartphone) among other things, are being sent over the network to a remote third-party by RATP App? Well, if you don’t believe it; here you go. Below are two instances of data we captured on our iPhone while being sent over the network by the RATP App. One good news, though: this data is sent through SSL, not in clear, which avoids eavesdropping.
But wait! It might be possible that RATP doesn’t even know of this behavior of their App (but in any case, this can’t be an excuse for RATP to get rid of their responsibility). This App is, in fact, developed and maintained by FaberNovel according to In-App “Legal mentions”