This research aims to establish a new perspective on super apps by examining the role of geolocation in their development. While unpacking the definition of super apps in a broad perspective, it highlights the unnoticed aspect of the geolocation that can redefine the term. With the location-based research on the platform VKontakte (VK), the privacy policies, permissions and the features of the European Union’s (EU) and Russian versions of the app are compared. This comparison brings forward the limitations and opportunities specific locations can offer for the development of super apps.
The exponential growth of mobile apps has led to new forms of app development, which we explore through a case study of VKontakte (VK). This Russian super app belongs to a new model of mobile apps considered “the do-everything apps” (Steinberg, 2020). This research aims to analyse both the app’s Russian and European Union version, their features, required user permissions and privacy policies, in order to conclude what can be considered a super app, and what role geolocation and different values and jurisdictions play in shaping this definition.
The term “super app” has emerged to define a unique mobile app that conveys in the same digital space different services that facilitate daily users’ tasks. It has its own environment on which users can depend: “Super-apps play the role of a marketplace or ecosystem that hosts in itself different types of solutions, services and experiences that traditionally would only be found in an app specifically designed for it.” (Roa et al., 2021). The ecosystem surfacing from super apps translates into increasing user reliance since their everyday needs can be satisfied within one app. “Super-apps provide an ecosystem of services on one platform, thus, allowing their makers to cross-sell and improve user loyalty” (Roa et al, 2021). Users’ privacy and safety need to be considered in super apps evolution, as “the challenges related to security and privacy are key aspects for keeping user data safe.” (Carvalho Ota et al., 2020).
These apps provide diverse functionalities that may or may not constraint the scope in which an app falls under the super app definition. They provide features ranging from chats to social media platforms, online shops to streaming services. Super apps focus on various functionalities at the same time and place - these are apps inside a particular app. Downloading smaller apps within a larger app is possible due to the “mini-program” attribute - “which allows [them] to have the same functionalities as a specialised app directly within the super-app interface.” (Roa et al., 2021). This is one of the common grounds when describing the emergent super apps - “super app internalizes the functions of the web, other apps, and its own complementors” (Steinberg, 2020).
One of the many features stressed when attributing the connotation of the super app are banking and financial functions. However, this can be a controversial feature due to an app’s adjustment to different legislations. Questioning user’s privacy, the GDPR along with European Banking Authority (EBA) legislation, a set of directives and regulations that supervise, among others, online banking, safeguard the use of citizens’ personal data. One of them, the Second Payment Services Directive, or PSD2 - which came into force in 2020 - aims to regulate electronic payment services, to bring security into online banking and shopping, (European Commision, 2020). Its scope “applies to payment services provided within the Union” (Second Payment Services Directive, 2020)
In September 2021, the EBA published a report that analysed “the digitalisation of both front and back-office processes in the EU’s banking and payment sector” (EBA, 2021). It emphasised the challenges of “competent authorities in monitoring market developments and any risks arising from these interdependencies.” (EBA, 2021). Additionally, the Digital Markets Act (DMA), proposed by the European Commission is under scrutiny. This Act’s objective is “to ensure a level playing field for all digital companies, regardless of their size” (European Parliament News, 2021).
This structurally regulated market sets limitations for apps’ banking business models, considered a drawback in the development of a super app in the EU landscape, demonstrating how the legal framework may shape its development.
In comparison, Russia does not follow the GDPR as it has its own data protection law - the Federal Law “On Personal Data” No. 152-FZ introduced in 2006 (Roskomnadzor, 2013). Overall, it carries the same function within the Russian legislative system as GDPR in the EU - that is to provide security and protection for individuals’ personal data, as well as its processing. Moreover, in contrast to the EU, there is no centralised concept such as the EU banking and financial service law in Russia. Instead, there are two distinct laws: one is concerned with banking, its procedures, and information security within Russian banking systems (Bank of Russia Standard, 2014), and the other addresses regulations on the national payment systems. The Federal Law "On the National Payment System" includes rules on various payment systems existing within Russia, this includes rules regarding online wallets. One of the recently accepted laws (11 July 2021) allows for the transfer of money through anonymous electronic wallets with the use of simplified identification (Svetlova, 2021). Altogether, this creates a friendly environment for the growth and development of electronic wallets and digital means of payment in Russia, such as VK Pay.A detailed analysis of different aspects regarding VKontakte is conducted throughout this paper. Our main conclusion focuses on the conditions that need to be reunited in order for an app to enter the super app realm, and how different geolocations and respective practises and jurisdictions help shape it.
A manually compiled list of VKontakte’s official features (excluding third-party applications) with their relations within the interface and whether they are available to Russian users only or worldwide: https://drive.google.com/file/d/1HfMT2xrcT6UT7RtzKhENDY4cf3qgS2Ul/view?usp=sharing2. Data from the analysis of the Google Play Store APKs of VKontakte and Facebook using the tools AppInspect and Exodus, including a list of general required permissions: https://docs.google.com/spreadsheets/d/1Wier4Hw7o3lBSX5RsbAZy9L--O05Nv9B/edit ?usp=sharing&ouid=105507083896594396938&rtpof=true&sd=true
As the European version of VK is based around GDPR legislation and the Russian version takes into account the local Personal Data Law, it is worth mentioning their distinctions. They are similar in the way that they ensure the protection of individuals’ personal data and processing. However, they have some differences when it comes to key definitions, responsibilities during data processing, as well as territorial scope (OneTrustDataGuidance and Goroddisky & Partners, 2019). As such, the GDPR considers special protection for children, outlines the territorial scope by referring to the EU citizens, and has a large financial penalty for law violation of up to 20 million euros. The Personal Data Law, on the other hand, does not include special protection for children, nor does it outline the territorial scope, and has a much smaller fine of up to 260 000 euros (OneTrustDataGuidance and Goroddisky & Partners, 2019). In contrast to the GDPR, Russian law carries a different interpretation of the term “personal data”, referring to it as “any information directly or indirectly related to a specified or determined individual (i.e. the subject of the personal data).” (Salminen et al., 2020); making its definition broader in comparison to the one proposed by the GDPR. Overall, the Russian data protection legal framework could be considered vaguer in comparison to that of the EU.
When it comes to our analysis of VKontakte’s app permissions, one striking finding is the number of permissions - 84 in total - requested by the app. To put this amount into perspective, Figure 1 compares this number to Facebook's permission requests (59 permissions).
Taking a closer look, we found that the permissions can be categorised within the following sections: “Normal”, “Dangerous”, “Signature” and “Other/Unknown”. These categories are used by Google and characterise “the potential risk implied in the permission” granted by their Android Developer tool. Permissions that fall into the “normal” section, are perceived as “lower-risk” as they grant “requesting applications access to isolated application-level features.” Permissions labelled as “dangerous” are valued as “higher-risk” as they give applications access to “private user data or control over the device that can negatively impact the user.” “Signature” level permissions are permissions which are only granted “if the requesting application is signed with the same certificate as the application that declared the permission.” (Android Developers 2021). Finally, the permissions categorised under “Other/Unknown”, are as the name suggests unknown, meaning they come from another source than the Android Developer tool.
Diving deeper into the permissions requested by VKontakte and Facebook, Figure 2 highlights the “dangerous” permissions requested by the two platforms. Besides requesting more permissions, the amount of “dangerous” permissions requested by VK also exceeds that of Facebook (13 vs 10). With more than half of VK’s permissions categorised within the “Other/Unknown” section (see Figure 1), this number of dangerous permissions might even be higher. However, due to their obscure nature, one is unable to indicate the potential risks of these permissions.Fig 1: VK and Facebook app permissions comparison Fig 2: VK and Facebook “dangerous” permissions comparison
VKontakte’s different functionalities within the app vary depending on the region, in this case, EU and Russia. The dataset presents a clear distinction between the features that each version offers to its users.
Features such as chat, news feed and articles, voice calls and online meetings are common to both versions, similar to many apps. Other common features include health-themed functions, apart from Link Medical ID, only available in Russia, since VKontakte works directly with Russia’s Health Ministry registers, which also allows for the possibility of a Russian COVID Vaccination Status’s feature, whereas EU Privacy law prevents it in the EU; and Call Emergency Services, a Russia-only service. Services such as Academic Curriculum, are available only in VKontakte Russia, as VK works with official Russian education institutions. Many other services are only permitted in Russia since they aren’t aligned with EU regulations. Cultural features such as music, books, movies, live sports broadcasts don’t comply with EU copyright law but are available in Russia.
Another feature only available in Russia’s VKontakte app is the VK Pay, incorporating a virtual bank account, physical debit card and VK cashback. EU banking and financial services laws don’t allow for this. The Russian version also offers physical services, such as Food Delivery services and VK Taxi. Another interesting feature is the third-party app store which is an app store within VKontakte’s app. The Russian version allows users to download all apps that VKontakte runs.
Fig 3: Features availability in EU and Russia
From the findings presented above, it is possible to analyse the main differences between VKontakte’s EU and Russian versions. There is an evident pattern in Russia’s version that is not visible in the EU's version.
The app’s permissions comparison with Facebook acknowledges the extensive permissions users are requested in VKontakte. Permissions authorise apps to collect users’ data, their consent is necessary, however, many times it doesn’t explicitly state how it is collected and processed (Pybus, Coté, 2021), hence the 84 permissions VKontakte’s app requires. From three types of permissions, there isn't a specific description on “Other/Unknown”. These could be custom permissions, designed by the platforms themselves, which one can only speculate about. The binary response to permissions is fundamental for users’ interaction with the app, they are “able to exercise their agency through dismissing or granting (some of) the permissions”. By granting an app permission, “Big Data is shared across applications and different corporations, and value is generated in opaque ways” (Lai, Flensburg, 2020). The significant number of permissions VKontakte requests to provide means to satisfy daily users’ needs in one singular app, defines its business model.
Regarding its features, it is visible that the extensive functionalities the app doesn’t run in the EU when passing through EU legal frameworks. The active features within the EU’s version of the VK app are significantly less than those in Russia's version. As explained, Russian VK is directly connected to different government bodies, allowing for a variety of functionalities within the app. Diverse app’s stakeholders related to the State explains the connection, “Russia’s Gazprom has gained control of the country’s largest social media network, VKontakte” (The Moscow Times, 2021). Criticism arose regarding the approximation to the Kremlin, and “accused the company of readily sharing user data with Russia’s security services.”(The Moscow Times, 2021).
The original term “super app” was defined by Blackberry’s owner Mike Lazaridis in 2010 as “a closed ecosystem of many apps”. Its collection of features makes users engage daily “because they offer such a seamless, integrand, contextualised and efficient experience.” (Infopulse, 2019) “A super-app is a stripped-down version of an app that runs within an all-in-one platform, allowing users to bypass an app store like that of Apple” (Fasnacht, 2021) However, how timeless this definition might seem, some adjustments can be made, which is elaborated in our results.
Therefore, we want to iterate VKontakte's heavy reliance on the reigning legislation of the geographical location the app is downloaded from. Constructed from our research we want to propose our interpreted definition of Super Apps:
Super Apps are closed media ecosystems that seamlessly link digital features and services, which nature is contingent on the geopolitical legislation they operate in.
These are apps that run within apps themselves, as shown with VK, dismissing any other “outside” apps. The major collection of users’ data creates a sense of fulfilment with just one (super) app. However, “[a]s super apps gain popularity and become trendy, the concerns related to security and privacy for the user data must be a priority” (Carvalho Ota, 2020). It is evident that users’ geolocation and inherent regulation shape a super app: where privacy laws are less strict, the super app has better conditions to prevail and rule.
Since this is an emerging topic, whose evolution happens daily, further research may portray new elements, crucial to an ever-changing definition and unfolding of super apps, consequently making the super app and its definition somewhat dynamic.Moreover, further research may investigate the increasing impact of super apps’ popularity in a user’s life, analysing them through a societal lens.
Android Developers. 2021. ‘Guide’. Android Developers. Accessed 18 January 2022. https://developer.android.com/guide/topics/manifest/permission-element?hl=nl.
‘AppInspect’. Jason Chao. n.d. Accessed 19 January 2022. https://appinspect.jasontc.net/.
Bank of Russia Standard. 2014. ‘MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS’. https://www.cbr.ru/Content/Document/File/51217/st-10-14_en.pdf.
Carvalho Ota, Fernando Kaway, Jorge Augusto Meira, Raphael Frank, and Radu State. 2020. ‘Towards Privacy Preserving Data Centric Super App’. In 2020 Mediterranean
Communication and Computer Networking Conference (MedComNet), 1–4. Arona, Italy: IEEE. https://doi.org/10.1109/MedComNet49392.2020.9191550.
‘Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on Payment Services in the Internal Market’. n.d. Accessed 19 January 2022.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366. ‘EBA Digital Platforms Report - 210921.Pdf’. n.d. Accessed 19 January 2022. https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Repo rts/2021/1019865/EBA%20Digital%20platforms%20report%20-%20210921.pdf. ‘EBA Regulation and Institutional Framework’. 2019. European Banking Authority. 19 March 2019. https://www.eba.europa.eu/about-us/legal-framework/eba-regulation-and-institutional-frame work.
‘EU Banking and Financial Services Law’. n.d. Text. European Commission. Accessed 19 January 2022. https://ec.europa.eu/info/law/law-topic/eu-banking-and-financial-services-law_en. ‘EU Digital Markets Act and Digital Services Act Explained | News | European Parliament’. 2021. 14 December 2021. https://www.europarl.europa.eu/news/en/headlines/society/20211209STO19124/eu-digital-ma rkets-act-and-digital-services-act-explained.
Fasnacht, Daniel. 2021. ‘Banking 4.0: Digital Ecosystems and Super-Apps’. In Theories of Change, edited by Karen Wendt, 235–56. Sustainable Finance. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-52275-9_15.
Federal Law of 27 July 2006 N 152-FZ ON PERSONAL DATA. n.d. Accessed 19 January 2022. https://pd.rkn.gov.ru/authority/p146/p164/.
Gritsenko, Daria. 2021. The Palgrave Handbook of Digital Russia Studies.
Gurkov, Alexander. “Personal Data Protection in Russia”. In The Palgrave Handbook of Digital Russia Studies, edited by Gritsenko, Daria. Wijermars, Mariëlle. Kopotev, Mikhail. 95 - 113. Russia: Palgrave Macmillan, 2021.
OneTrust DataGuidanceTM, and Gorodissky & Partners. 12/19. ‘Comparing Privacy Laws: GDPR v. Russian Law on Personal Data’, 48.
Pybus, Jennifer, and M. Coté. 2021. ‘Did You Give Permission? Datafication in the Mobile Ecosystem’. Information, Communication & Society, February, 1–19. https://doi.org/10.1080/1369118X.2021.1877771.
Radley-Gardner, Oliver, Hugh Beale, and Reinhard Zimmermann, eds. 2016. Fundamental Texts On European Private Law. Hart Publishing. https://doi.org/10.5040/9781782258674. Roa, Luisa, Alejandro Correa-Bahnsen, Gabriel Suarez, Fernando Cortés-Tejada, Maria A. Luque, and Cristián Bravo. 2021. ‘Super-App Behavioral Patterns in Credit Risk Models: Financial,
Statistical and Regulatory Implications’. Expert Systems with Applications 169 (May): 114486. https://doi.org/10.1016/j.eswa.2020.114486.
Salminen, Mirva, Gerald Zojer, and Kamrul Hossain. 2020. Digitalisation and Human Security: A Multi-Disciplinary Approach to Cybersecurity in the European High North. 1st ed. Springer International Publishing.
Sophus Lai, Signe, and Sofie Flensburg. 2020. ‘A Proxy for Privacy Uncovering the Surveillance Ecology of Mobile Apps’. Big Data & Society 7 (2): https://doi.org/10.1177/2053951720942543.
Steinberg, Marc. 2020. ‘LINE as Super App: Platformization in East Asia’. Social Media + Society 6 (2). https://doi.org/10.1177/2056305120933285.
Svetlova, Anna. 2021. ‘Путин подписал закон, позволяющий переводить деньги физлицам через анонимные кошельки’. [online] Gazeta.Ru. 11 June 2021. Available at: https://www.gazeta.ru/business/news/2021/06/11/n_16090982.shtml?updated [Accessed 19 January 2022].
Times, The Moscow. 2021. ‘Gazprom Gains Control of Russia’s Top Social Network’. The Moscow Times. 3 December 2021.
VKontakte. ‘VK Ecosystem User Agreement’. n.d. Accessed 19 January 2022. https://id.vk.com/terms.
|png||210113_VKFeatures-01-01.png||manage||840 K||31 Jan 2022 - 10:07||AnneHelmond|
|jpg||Areagraph epoche.jpg||manage||202 K||21 Oct 2019 - 13:30||EmilieDeKeulenaar|
|jpg||Areagraph_03_Tavola disegno 1.jpg||manage||302 K||21 Oct 2019 - 13:36||EmilieDeKeulenaar|
|jpg||Atlantis_WikiTimeline_Tavola disegno 1.jpg||manage||86 K||21 Oct 2019 - 13:28||EmilieDeKeulenaar|
|jpg||Crusade_WikiTimeline-02.jpg||manage||70 K||21 Oct 2019 - 13:27||EmilieDeKeulenaar|
|png||Screenshot 2019-07-22 at 15.22.51.png||manage||429 K||21 Oct 2019 - 13:20||EmilieDeKeulenaar|
|png||Screenshot 2019-07-22 at 16.42.17.png||manage||527 K||21 Oct 2019 - 13:37||EmilieDeKeulenaar|
|png||Screenshot 2019-07-23 at 12.25.46.png||manage||60 K||21 Oct 2019 - 13:24||EmilieDeKeulenaar|
|png||Screenshot 2019-07-23 at 16.10.01.png||manage||327 K||21 Oct 2019 - 13:31||EmilieDeKeulenaar|
|jpg||WW2_WikiTimeline-03.jpg||manage||66 K||21 Oct 2019 - 13:28||EmilieDeKeulenaar|
|png||cluster 2.png||manage||1 MB||21 Oct 2019 - 13:44||EmilieDeKeulenaar|
|png||dangerous-permissions-list.png||manage||77 K||31 Jan 2022 - 10:08||AnneHelmond|
|png||image-wall-e3b55f6d8e296e95f13bd18fc943dd55.png||manage||934 K||21 Oct 2019 - 13:33||EmilieDeKeulenaar|
|png||pasted image 0.png||manage||1 MB||21 Oct 2019 - 13:23||EmilieDeKeulenaar|
|png||pasted image 2.png||manage||1 MB||21 Oct 2019 - 13:32||EmilieDeKeulenaar|
|png||unnamed-2.png||manage||12 K||21 Oct 2019 - 13:34||EmilieDeKeulenaar|
|png||unnamed-3.png||manage||11 K||21 Oct 2019 - 13:34||EmilieDeKeulenaar|
|png||unnamed-4.png||manage||54 K||21 Oct 2019 - 13:37||EmilieDeKeulenaar|
|png||vk-vs-fb-permissions.png||manage||119 K||31 Jan 2022 - 10:08||AnneHelmond|