Roskachevo identified unsafe applications for cab calls

Roskatchestvo’s Center of Digital Expertise conducted a study of the 20 most popular mobile cab ordering applications. Taking into account that cab services collect and store our personal and payment data, they should be able to demonstrate impeccable security results. We also additionally analyzed the information security of more than 60 little-known applications. Alas, not all of them turned out to be secure.

Since 2016, the cab market has been continuously growing and changing rapidly in 2021, several services, including Veset and Rutaxi, previously analyzed by Roskachevo, were acquired by Yandex, which increased its overall share and made it an absolute leader in terms of presence 40% overall, 67% among aggregators, according to Forbes as of September 2021 .

To find out how functional, high-quality, and secure cab ordering apps are, Roskachestvo tested 20 apps: 10 each for iOS and Android. And lawyers of ANO PravoRobotov examined the privacy policies of services for compliance with the Federal Law “On Personal Data” No. 152-FZ of 27.07.2006 and highlighted negative and positive aspects that users should pay attention to.

Sergey Bodrov, head of Roskachevo Digital Expertise Center.

“During the study, experts used the application as ordinary users: ordered a cab and drove around the city, analyzed the application and its functionality, added addresses to favorites and requests for orders, studied driver profiles information about drivers, cars, carrier company and worked out other typical scenarios of use. Additionally, applications were tested for security using specialized software. As a result, all the key functions were tested, evaluating the convenience, information security, as well as the performance and reliability of cab ordering applications.”

According to the survey results the leading app “Yandex Go” remained the same, “Taxovichkof” yielded to maxim, “Citimobile” improved its position and now ranks the third on both platforms iOS and Android .

According to the test results, the most functional applications are Yandex Go, Taxovichkof on both platforms and Uber on Android, as well as Citimobile on iOS. The most convenient applications according to the survey – “Yandex Go”, “Taxovichkof” and maxim on Android, as well as “Taxovichkof” and maxim on iOS. In terms of information security, all popular apps showed good results – most scored 3.5 or more. Some Android apps were downgraded for having “trackers” of user data.

Most of the functions are implemented at a high level for all survey participants. However Gett and DiDi do not allow to call a cab without specifying the address in advance, not all applications display the distance which is left from the car to the user: the function is absent in “Pochali”, “Taxovichkof” and maxim. The Android version of DiDi doesn’t show buildings on the map. Only “Taxovichkof”, “Yandex.Go”, “Citimobile” and Uber can select the recent address of the trip again.

The next important point for the user, when the choice of car is already made and the car is assigned, is the profile of the driver and the car. Specialists evaluated the availability of driver’s name, driver’s picture and rating, information about the car, information about the carrier, data about the date of registration of the driver in the cab service.

As in the last study, there is still a significant variation in the extent to which the driver’s profile is filled out between the apps, from the virtual absence of the driver’s profile in “Poholy”, “Omega” and TapTaxi, to a fully informative card with a photo in “Yandex Go”, DiDi and Gett.

The next important group of criteria for the user is the wishes of the trip. In case the user has a small child, heavy luggage or a pet, the presence of appropriate filters is very important. As the study showed, the problem of absence of such filters in some applications is still relevant. DiDi, Gett, TapTaxi and Uber have the fewest ride wish features.

In addition we evaluated the presence of SOS-button: it has “Omega”, “Let’s go”, “Yandex Go” and maxim, as well as DiDi and “Citimobile. This feature allows you to dial 112 with one touch, or share your location with trusted contacts. This feature could be crucial for someone to choose a service.

Compared with the last study, it became noticeably more popular to add a particular driver in the application to the blacklist most of them do it through a request to the support service, but there are those who give the opportunity to block the driver directly . The demonstration of a user rating similar to a driver’s rating was considered without assessment, and only Yandex Go has it open to the passenger. Citimobile has a similar level of user account.

While examining applications for security, experts evaluated if the service asks only minimal necessary user data and permissions, and if the user can delete his account. The security of the transmission of application and user data was analyzed separately. For this purpose, the experts used specialized software Wireshark to capture all the traffic sent by the application and then analyze it for the presence of unencrypted data. All the applications succesfully coped with traffic capturing – no vulnerabilities were detected.

Also a new criterion was introduced: the presence of analytical trackers, which collect information about the user. They are added by developers for good purposes – to analyze user behavior and to use this information for app development. But the free trackers of big corporations like Facebook or Google carry additional risks in terms of information security: the IT-giants get statistical data without any need from the user. For this reason, the presence of such trackers was considered a minus in the study. No such modules were found in the iOS apps, while the Android apps scored lower on this criterion for maxim.

Sixty percent of the apps have bank card binding using 3-D Secure protocol. It is a code sent in a text message so the service can verify that the card really belongs to you. Theoretically, its absence can allow cybercriminals to bind someone else’s card to their account and subsequently make payments from a stolen card, or simply by picking up its details.

Additionally, Roskatchestvo experts tested all Android apps for the presence of vulnerabilities and zero-day vulnerabilities using Solar appScreener, using automated binary analysis technology, without reverse-engineering source code decompilation . The following potential vulnerabilities were identified: DNS addressing in 50% of cases, insecure reflection was detected in 30% of the examined applications, insecure native SSL implementation – 20%. A weak hashing algorithm in 80% of the apps analyzed, and insecure HTTP protocols in 70% of apps. SQLite database injection – 20%.

In addition to the 20 well-known applications included in the study, specialists also tested the security of 63 less popular applications: 36 on Android and 27 on iOS, respectively.

On iOS platform, only the user’s geolocation data were transmitted openly at the time of ordering. 6 applications were caught in it, including NonStop: cab ordering service Taxi Pobeda DA TAXI Tyumen and Taxi Variant. On the Android platform, the situation looks worse – so, experts have identified two applications – “SV-TAXI. Cab Call” and “UpTaxi all cities “, which, in addition to the above-mentioned geolocation data, transmitted publicly available personal user data. The phone number in one case, and the credentials phone number and password , and the device model in the second case, respectively. This vulnerability, in addition to directly compromising data, could lead to new attacks from fraudsters against users.

There were also three Android applications that transmitted unencrypted user geolocation data, namely “Taxi Order GOST”, “My City” and Taxi Saturn+”. As in case of iOS, this vulnerability, although not critical, is undesirable from the perspective of digital security.

A separate problem on the Android platform is redundant or hidden app accesses, which give apps hidden functions, and in some cases they can even be malicious. Thus, access to obtain data about the status of the phone is obtained by 17 of 36 applications on Android, access to view contacts by 8 of 36, and access to make phone calls is obtained by 6 of 36 applications.

Among the applications where all the listed redundant accesses have been requested is “SV-TAXI. Call a cab”, “Taxi Us Along the Way” and Faem.Taxi. These applications are not recommended by Roskachestvo to download.

Checking whether the privacy policies of cab ordering applications comply with the law “On Personal Data” No. 152-FZ of 27.10.2011 .07.2006 was conducted by lawyers of PravoRobotov, an autonomous nonprofit organization. In general all examined applications have shown good results from the legal point of view, scoring 4 points and above. An exception was Taxovychkof, whose app did not have a link to its privacy policy at the time of the survey. At the time of publication of the study, the problem had not been fixed. Nevertheless, all services, except Taxovitchcof, pass data to affiliated third parties.

The issues of insurance protection of passenger life and health of cab passengers are constantly in the zone of increased attention of both public authorities and society as a whole for several years now. As part of the survey, Roskatchestvo and lawyers from PravoRobotov analyzed insurance information in the corresponding apps. Only three of them Citimobile, Yandex.Cab” and Gett service automatically insures a passenger during a trip, while in other apps passenger insurance is outsourced to a third party. The rest of the services in one way or another shift responsibility for emergencies to the shoulders of the driver and/or passenger and force to agree that in fact the carrier “does not provide transportation or logistics services” and does not accept claims including such wording from the service Uber, owned by “Yandex” .

Stanislav Shvagerus, Head of Competence Centre of International Eurasian Taxi Forum.

“In the American Federation, the practice of passenger insurance is voluntary and is actually a competitive advantage of the aggregator in the market. However, the voluntary nature of such insurance carries significant risks for cab passengers. If compulsory insurance clearly defines the payment procedure, the amount of the insurance payment determined by both the insurance law and Article 34 “liability of the charterer,” the Federal Law of November 8, 2007. N 259-FZ “Statute of automobile transport and urban above-ground electric transport”, then in case of voluntary insurance of aggregators’ liability this procedure and amount of payments are determined by an agreement between the insurer and the aggregator. That’s why the amount of compensation for life and health damages of cab passengers is so low

A special place is held by the so-called “second echelon” aggregators, which have not yet insured their liability or organized “payment funds”. Such aggregators, as a rule, indicate in their internal rules that “they are not responsible for concluded by them public contract for passenger cab freight and that all responsibility to the passenger is borne by the driver of the cab”. These aggregators overlook the fact that, according to Article 37 “invalidity of agreements” of the Federal Law of 8 November 2007. N 259-FZ “Statute of automobile transport and urban ground-based electric transport”, such documents are invalid.

Court practice regarding compensation of life and health damages of passenger cab passengers is vast and consists in mass acceptance of responsibility of cab aggregators for damages, caused to passengers of passenger cab under a contract of passenger cab charter. Check whether your favorite cab ordering service meets safety requirements and follows the letter of the law?

The study was conducted in accordance with the test methodology based on the preliminary national standard for mobile app benchmarking PNST 277-2018.