We have been contacted last May by Le MédiaTV as part of an investigation about delivery riders. The journalist wanted to know more about the Deliveroo Rider app (used by the riders) and what types of data it could collect. This incidentally matched our wish to develop in-depth application analysis and publish them on this blog. The video from Le Média thus allows us to open this new type of articles in which we offer to detail our method and the full results.
The εxodus analysis platform enables you to know how many trackers are in an application. For instance, for Deliveroo Rider app version 19.06.24_14235 we found 4 trackers. This “static analysis” has two limits :
That’s why we use a free software project named PiRanhaLysis, which allows us to do dynamic analysis. As explained in Le Média TV’s investigation, the PiRogue module allows us to intercept and observe the data transmitted by the phone while an application is used (here, Deliveroo Rider).
We used a Samsung SM-G361F, with Android 5.1.1. The results may vary depending on the phone or the operating system.
The traffic analysis highlights that data is sent to several destinations:
Appboy, which has since become Braze, an advertising network managing client data and marketing;
Segment, a behavior analyzer1;
Instabug, a software for sending bugs and crash reports.
Among the data that have been sent, we can find data related to both the device and the application usage, which are sometimes linked to unique identifiers, like the advertisingID2 or the Deliveroo courier number.
More precisely, if we take each data transmission (which occurs on a regular basis):
userID), the advertising identifier (the
advertisingID), the unique Android identifier (the
id)3 the Mobile Network Operator, the phone model, the screen resolution, if the phone is connected via WiFi…
Through this analysis, we were able to demonstrate that data, including data that could accurately identify a person, was being sent to third party companies through trackers included in the Deliveroo Rider application.
We would like to thank the MediaTV teams who worked with us with undeniable professionalism and we hope that this post will have been of interest to you. Thanks also to the Piranhalysis project for these analysis tools.
If you have any questions, feel free to contact us and, particularly, do not forget to support us so that we can continue to produce similar analyses. In fact, we are going to try to publish these Focus on… on a more or less regular basis.