On May 9th, 2022, Chemnitz University of Technology received information about possible data protection violations in the TUCapp, which, to our regret, were confirmed. The first security measures were taken on May 11th and will be available to all users in the Playstore with the update on June 3rd, 2022.
For app versions that have not received an update (version < 2.0.32), personal data will continue to be transmitted. We recommend that you install the latest version immediately to prevent further unwanted data transfers.
Which personal data was transmitted unintentionally?
Device data:
- Operating system (iOS/Android) and the version on your device
- Model designation of the device
- screen width and height
- time zone
- set language of the system
- Are the barrier aids activated?
- Is the Expo app installed?
- Is the device rooted?
- Screen brightness of the end device
- Is the device being moved and in which direction?
- free hard disk space of the device
- Memory capacity and free capacity
- State of charge of the battery or whether the battery is currently being charged
App data:
- Name and ID in the AppStore of the TUCapp
- App version and store version of the TUCapp
- Size of installed app
- Does the app run in an emulator?
- Is the app a debug version?
Connection data:
- Transmission time of the tracking connection
- Type of network over which the tracking data is sent
- ID and start time of the tracking session
Google Analytics
When using the TUCapp, data is transmitted to Google Analytics. The transmission is not actively caused by the app. The data will probably be transmitted if you use Android or the Google Playstore.
Unnecessary app data download from cloud
Each time the app is started (applies to the iOS version), the images and fonts required for the TUCapp are loaded from cloud services, which means that the IP address of the cell phone is passed on to Amazon and Expo. The use of the cloud services could be deactivated by adapting the app.
Cause of the data breach and future strategies
The reason for the transfer is the unwanted integration of tracking libraries. Expo.io is used as the basis of the app as an established technology. Unfortunately, this added unwanted tracking mechanisms to the TUCapp when it was created – including an active tracker that transmits data to Facebook. This tracker is disabled in newer versions (from 2.0.32). A digital fingerprint can be created from the data.
In order to prevent unwanted data transmission processes in future app versions, additional tests are carried out with every update of the standard open source software Expo.io.
According to the current state of knowledge, special categories of personal data within the meaning of Art. 9 Para. 1 GDPR or Art. 10 GDPR are not affected by the incident.
If you have further questions about data protection violations, please contact the data protection responsible at Chemnitz University of Technology (Gernot Kirchner, Straße der Nations 62, Room 1/117 (new: A14.117), 09111 Chemnitz, Tel: +49 371 531-12030, Fax: +49 371 531-12039,
E-mail: datenschutzbeauftragter@tu-chemnitz.de) or the URZ of the TU Chemnitz (e-mail: support@hrz.tu-chemnitz.de).