On May 9, 2022 the Chemnitz University of Technology received notices of possible privacy violations in the TUCapp, which which were regrettably confirmed. The first security measures were already taken on May 11 and will be available to all users in the Playstore with the update on June 3, 2022.
For app versions, that had not received an update (version < 2.0.32), personal data will continue to be transmitted. We recommend that you install the latest version immediately to prevent further unwanted data transfers.
Which privacy data was transmitted unwanted?
- operating system (iOS/Android) and its version on device
- model name of the device
- screen width and height
- Are accessibility features activated?
- Is the Expo-App installed?
- Is the device rooted?
- screen brightness of the device
- Is the device currently being moved and in which direction?
- free hard disk space of the device
- capacity and free capacity of the memory
- battery charge status or whether the battery is currently being charge
- name and ID in the AppStore of the TUCapp
- app version and store version of the TUCapp
- size of the installed app
- Is the app running in an emulator?
- Is the app a debug version?
- sending time of the tracking connection
- type of network over which tracking data is sent
- ID and start time of the tracking session
During use of the TUCapp, data is transmitted to Google Analytics. The transmission is not actively caused by the app. The data is probably transmitted when using Android or the Google Playstore.
Unnecessary download of app data from the cloud
Every time the app is launched (affects the iOS version), images and fonts needed for the TUCapp are loaded from cloud services, passing the phone’s IP address to Amazon and Expo. The use of cloud services could be disabled by adjusting the app creation procedure.
Cause of the data protection incident and future strategies
The reason for the transfer is the unintentional integration of tracking libraries. As the basis of the app, Expo.io is used as an established technology. Unfortunately, this added unwanted tracking mechanisms to the TUCapp when it was built – including an active tracker that transmits data to Facebook. This tracker is disabled in newer versions (from 2.0.32). A digital fingerprint can be created from the aforementioned data.
To avoid unwanted data transmission in future app versions, additional tests are performed on every update of the standard open source software Expo.io.
Special categories of personal data within the meaning of Art. 9 (1) DSGVO or Art. 10 of the GDPR are not affected by the incident according to the current state of knowledge.
If you have any further questions about the data breach, please feel free to contact the data protection officer of the Chemnitz University of Technolgy (Gernot Kirchner, Straße der Nationen 62, R. 1/117 (neu: A14.117), 09111 Chemnitz, tel: +49 371 531-12030, fax: +49 371 531-12039, e-mail: firstname.lastname@example.org) or the University Computer Centre (e-mail: email@example.com).
Further information on the TUCapp can be read in a stand-alone TUCapp blog.