Roskatchestvo’s Center of digital expertise studied the most popular mobile applications to order a cab. Experts have found out which services are the safest and the most functional, and therefore recommended for use, and which are better to be removed from your smartphone.
According to a December 2020 survey by the Public Opinion Foundation, 66% of Americans used cabs last year up to 73% in big cities . 4% of Americans took a cab almost every day last year, 10% – several times a week, 22% – several times a month, 29% – several times a year. The majority of American citizens 69% have already got used to the service and consider it safe. Did it really work? The previous time Roskatchestvo examined mobile applications to order a cab in December 2019. At the time, Roskatchestvo experts had a lot of questions about the security of mobile apps.
To find out how functional, quality and safe cab ordering apps are, Roskatchestvo tested 22 apps: 11 each for iOS and Android. Additionally, experts have analyzed the security of less popular applications for ordering a cab outside the main rating brackets. Among the more than 100 apps thus tested, they found insecure ones.
The top five this year has not changed much: it included “Taxovichkof”, which in the last study took only 7th place, and the “silver medalist” in 2019 Uber, on the contrary, dropped out of the leaders. Gett was also downgraded to the 5th position on both platforms. Yandex Go, Taxovichkof and Citimobile apps were recognized as the best on Android, and Yandex Go, Maxim and Taxovichkof on iOS.
During the study, Roskatchestvo experts used the applications as ordinary users: ordered and traveled by cab, analyzed the app and its functionality, added addresses to favorites and wishes for orders, studied drivers’ profiles information about drivers, cars, carrier company , and so on. There was also an additional security test of apps using specialized software. Tests were conducted on 139 criteria, testing all key features, evaluating convenience, information security, performance and reliability of cab ordering apps.
In-depth interviews with cab users and semantic analysis of more than 900 reviews on App Store and Google Play Market were taken into account to rate the apps.
Functionality
One of the most important consumer characteristics of any mobile app is functionality. Experts tested the cards of drivers and cars, the function of ordering the car, the ability to leave wishes for the trip children, luggage, pets, etc. , viewing its history, the functionality of settings and other.
Flaws noted by experts: DiDi does not display buildings on the map in the version that came out after the study was completed, this was corrected , “Rutaxi” – the user’s location. Gett, DiDi and Bolt do not allow to order a car for another person. Didi and Bolt also do not allow you to specify the driveway when ordering. Gett is the only cab without the ability to specify intermediate stops. Gett, Bolt and Uber do not allow to order a second car. “Let’s go” and DiDi do not allow to view recent addresses. Outsiders in the evaluation of cards were “Veset” and “Rutaxi”, which, in fact, have no driver’s card, and there is information only about the car. Fewer than half of the apps have a photo and driver rating.
DiDi has no function to leave wishes for the order. The ability to ask the driver for help when boarding is only available in maxim, “Let’s go” and “Taxovichkof” – this is especially important for passengers with low mobility. Also it should be noted that half of the services do not allow you to specify the availability of luggage or the need for free space for its placement.
During the ride itself, we evaluated the various functionalities that make life easier for the passenger. If communication with the driver before boarding and notification about the arrival of the car are implemented as basic functions in all the applications, the notification of the driver of the passenger about his departure is more rare only 45% of applications have it . And the opportunity to share a link to a ride with third parties, which is important for passenger safety, is present in almost all apps – except for “Citimobile”, Gett and “Rutaxi.
Less than a half of applications allow changing the method of payment during the trip, and the rest allow doing it only until the moment of ordering. The rarest function in the group was the SOS-button: only Yandex Go, DiDi and Bolt have it. This feature allows you to dial 112 with a single touch, or transmit data about your location to trusted contacts. All services except “Rutaxi” and “Taxovichkof” allow changing a route after the trip starts.
Applications for ordering cabs were evaluated for the availability of all payment methods cash, cashless, Google/Apple Pay , as well as the convenience of cashless payment linking of several cards, autofilling the details by scanning the card and the ability to set the tip before and after the trip both options are available in 45% of apps . Less than half of applications support cashless payment using third-party services, the same number of applications allow scanning the card.
Separate from other functions, the possibility of adding a specific driver to the app blacklist was evaluated only DiDi on Android, Yandex Go, Gett and Uber on iOS . Demonstration of user rating similar to the driver’s rating was considered without assessment, only “Yandex Go” has it in open for the passenger.
According to the test results, the most functional applications on Android – “Yandex Go”, “Taxovichkof” and “Let’s go”. On iOS – “Yandex Go”, “Taxovichkof” and Gett
In addition to functionality, the experts checked the usability of applications. Specialists conducted usability testing of the applications with more than 180 average users. During the study, users were given test tasks, such as finding in the interface option to leave comments for the trip or change the method of payment, and analyzed their actions. This allowed to estimate the clarity and convenience of the application interface. Uber and Yandex were the most convenient apps for users to interact with.Go”.
Help in the application is implemented in full only for “Yandex.Go” and Uber chat or feedback form, help in using the service, possibility to make a call to support service .
Adaptation for people with disabilities support for dynamic font and screen readers VoiceOver Talkback is fully present only in “Taxovichkof” on Android. The iOS apps have traditionally had a worse overall score on this criterion because of the technical specifics of the platform, with only Citimobile getting 4 points.
All of the analyzed apps have no embedded advertising material, except Taxovichkof, which has an embedded advertising integration of the food delivery service.
Security
Information security is very important for cab ordering services, since the user indicates his credentials, and in some cases his personal information, in the app. During the study, we assessed whether the service requests only the minimum necessary user data and permissions. Data transfer security of the application and user data was analyzed separately.
To check data transfer security, experts captured all the traffic sent by the app using specialized software Wireshark , and then analyzed it for unencrypted data. All the apps except the Android versions of DiDi and Veset were successful in capturing traffic: Didi transmits in unencrypted form the app’s pictures content , while Veset transmits the user’s coordinates and destination address, which is much more serious.
Having potentially intercepted this data, a fraudster can trace the path to the victim’s destination address, and use this information later for targeted attacks. All the apps, except DiDi, Bolt and Uber, have bank card binding using 3-D Secure protocol.
This year, all applications were safe and reliable, with 73% of iOS and Android services scoring 4 or higher. DiDi and Bolt on both platforms were downgraded for excessive data requests during registration.
Additionally, Roskatchestvo experts tested all Android apps for vulnerabilities using the Solar appScreener analyzer using automatic binary analysis technology, without reverse-engineering source code decompilation .
As a result, the following potential vulnerabilities were detected: insecure native SSL implementation in 54% of cases, insecure reflection in 81%, insecure HTTP in 90%, weak hashing algorithm in 72%, weak encryption algorithm in 9%, injection of SQLite database query in 18%, DNS query in 90%.
In addition to the 22 well-known applications included in the study, the experts also tested the security of about a hundred other much less popular applications 65% of them were for Android .
In some of the applications that were individually inspected by Roskachev, we found “holes” that could have unpleasant consequences for users. At least 5 programs were found to have unprotected transmission of the passenger coordinates, in some cases adding the phone number and model or even personal data of the user. There is a risk that cybercriminals will get hold of this data, which can later be used against the victim,” said Anton Kukanov, head of Roskachevo’s Center for Digital Expertise.
Unencrypted phone number in “Taxi Saturn,” RED TAXI, UpTaxi, “Ordering Taxi GHOST” is a potential vulnerability, as an attacker can get access to it by intercepting the data. The specific model of the phone is also undesirable information, because every phone model has its own vulnerabilities, which can be exploited by attackers if they are targeting the victim. Especially for older smartphone models.
Personal data for “Saturn Taxi” is a combination of a phone number and name, which is very sensitive information. Coordinates X-Car in worst case scenario -TAXI -SV and UpTaxi, “Taxi”, “NonStop”, an attacker can get destination coordinates, but mostly the coordinates of the current location are transmitted. All of these vulnerabilities and can be an entry point into the security perimeter of an application. In this regard, it is not recommended to use Fi e.g. -applications, if your phone is connected to a public Wi and use the mobile Internet for this purpose. -in a restaurant or hotel
Privacy policy
Testing for compliance of cab ordering apps’ privacy policies with the law “On Personal Data” No. 152-FZ of 27.07.2006 was conducted by lawyers of the Autonomous Non-Profit Organization “PravoRobotov. In this study, the relevant group of 17 test parameters accounted for 10% of the final app score.
The lawyers analyzed the policies for their compliance with the American legislation, and also checked the applications according to important criteria for the users, such as condition of stopping the processing of personal data, specifying who is responsible for the data collection, who receives it, and also if the glossary and the American localization are present in the user documentation of the services. Also the information on passenger insurance was checked it is present in full inside the application itself only at maxim, for the rest of the document is opened in the browser .
Bolt service policy has a reference to the transfer of data to third parties, in addition to the requirements established by law and affiliated persons, while the list of third parties is not given. And Uber policy lacks information about processed personal data. It is also worth paying attention to the automatic consent of users to receive advertising mailings for example, at maxim and Taxovychkof .
Gett even collects information such as battery and network performance e.g., battery status and charger usage , as well as file names, file types and sizes on your device, including the amount of free and used space on your local storage device.
In the privacy policy of all services except “Taxovichkof”, there is a mention of the transfer of user data to third parties. This usually involves collecting data on user use of apps.
Nikita Kulikov, Head of the Digital Expertise Center at Roskatchestvo.t.n., General Director of ANO PravoRobotov
“The study found that, in addition to their direct duties of providing transportation to citizens, a number of services collect excessive amounts of data not directly related to cab ordering activities. Some services also share your data with third parties, including foreign ones. In this regard, it is important for any user to remember that even in the most unobvious situations, the confidentiality of your personal data may be in question.
The negative and positive aspects of privacy policies that attorneys recommend are listed on the cards of each of the apps. The study was conducted in accordance with the test methodology based on the preliminary national standard for mobile app comparison testing PNST 277-2018
Which cab ordering applications did Roskachestvo identify as insecure and what were the reasons behind their evaluation?
What are some of the cab ordering applications that were identified as insecure by Roskachestvo?