Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 917
- Points
- 113
Your route, your contacts, your SMS - everything is under the control of “friendly” applications.
A Cybernews investigation has uncovered disturbing facts about the collection of personal data by popular travel apps. From Booking.com to Airbnb, Hilton to Radisson, almost all travel planning services try to extract as much information about users as possible, and some do it behind the scenes.
The leaders in terms of the volume of collected data were Booking.com, MakeMyTrip and HotelTonight. It turned out that absolutely all tested applications have access to users’ geolocation. However, half, including Booking.com, do not even inform about this.
Moreover, individual applications can read SMS, access the camera, microphone and files on the device. Some are even able to make calls on behalf of the smartphone owner.
After analyzing 22 popular travel apps with millions of downloads, Cybernews experts found out what data they collect and what they have access to on users' devices. First, the data provided in the “Data Security” section of the Google Play Store was examined. However, it turned out that the developers' statements often do not correspond to reality.
“A well-designed application should only request the permissions that are necessary for it to function. Users should always be careful about granting access and verify it carefully. Unfortunately, our investigation showed that this is not always observed,” said security researcher Mantas Kasilauskis.
What data do apps collect?
Location
Travel apps typically request access to users' location to offer local services and excursions. However, this data makes it possible to track people's movements and find out where they live and work.
For attackers, such information is a valuable resource for carrying out digital and physical attacks. It can also be used for targeted advertising or sales to third parties. All tested services have access to precise geographic coordinates ( including latitude and longitude coordinates ), but many hide this fact.
Camera
Fourteen of the 22 apps request access to the device's camera to take photos, record videos, and make video calls. Ten of them do not disclose that they have collected camera-related data. Justification for the need for camera access is usually limited to general language like “for application functionality” and “analytics,” which raises doubts about the legality of such permissions.
Phone status and IMEI
Some apps have risky permissions to read phone data that can identify the user and device. They can get IMEI, IMSI, phone number, serial number and SIM ID.
It's important to note that such data is typically only needed by system apps or apps signed with a platform key, and requesting it from travel apps raises serious questions.
File systems and system settings
HotelTonight, a hotel booking app, requests access to mount and unmount file systems on the device. The file system is an integral part of the operating system (OS). It organizes files and directories, tracks their location, and maintains file metadata for efficient search and storage of data.
The Hilton Honors app may close system dialogs, which also poses a risk of interfering with the device. Trip.com has the right to make changes to your device configuration, such as changing language, screen orientation, keyboard layout, and other device settings. It also allows you to change system settings such as Wi-Fi, Bluetooth, sound or display.
SMS messages
MakeMyTrip, India's popular hotel, flight and transport booking app that has been downloaded over 50 million times, can read all SMS messages stored on a device, including sender and recipient information and message dates. This raises questions about the need for such access for an application designed for booking hotels and transport. SMS messages often contain sensitive information such as one-time passwords and verification codes, making this access particularly risky.
Accessing device storage
Travel apps also actively seek access to device storage.
Fourteen apps have the ability to read and write data to external storage, while the Hopper app can only read files stored on the device. Only three applications openly declare the collection of data related to files and documents, while the rest chose to remain silent about their right to access this data.
Device storage permission is sensitive because it allows an app to read, write, modify or delete data on external storage, including SD card and other external media.
Access to device storage may include user files such as photos, videos, documents, and other sensitive information. If such data is mishandled or falls into the hands of malicious actors, it can lead to data loss and privacy violations.
Microphone access
Three apps - Hotwire, Trip.com and MakeMyTrip - have permission to access the microphone and record audio from the device. Trip.com openly states this on Google Play Store, while MakeMyTrip and Hotwire do not mention it.
Contact details
MakeMyTrip, Hilton Honors and Hopper apps have access to the user's contacts. However, only MakeMyTrip is open about collecting this data. Contact information may contain sensitive information about friends, family and colleagues, making it especially sensitive.
Calls on behalf of the user
Three apps - MakeMyTrip, Hilton Honors and Trip.com - have permission to access messages and calls on the device without revealing this information to users. This allows apps to send text messages and make calls on behalf of the user, which can lead to privacy violations and fraud.
Companies reaction
A MakeMyTrip spokesperson said that all permissions in the app are optional and are requested only in certain cases. For example, camera access is used to upload profile photos and verification documents such as currency exchange documents and visa applications. Call access is required to allow users to directly contact support through the app. Permissions to read external storage and phone state are used to address "very specific cases" and are requested based on the specific use case, with an appropriate explanation provided.
A Marriott Bonvoy representative noted that location data and camera access improve the user experience. For example, location data helps users find and book hotels, while camera access allows users to scan credit cards to add to their app profile. Both of these features are subject to the user's consent and settings can be changed at any time at the user's discretion.
A Trivago spokesperson stressed that all users of the platform must consent to the use of geolocation features. This allows users to search for hotels nearby by displaying them on a map along with the user's current location, making the process of finding a suitable place to stay much easier.
A spokesperson for Kayak and Momondo said the company is actively looking into why location information is not listed among the data collected in the Google Play Store, despite taking steps to disclose this information. Location data and camera access are used to improve the user experience, such as finding nearby airports and hotels. Users must enable access to these features within the app themselves.
A Cybernews investigation has uncovered disturbing facts about the collection of personal data by popular travel apps. From Booking.com to Airbnb, Hilton to Radisson, almost all travel planning services try to extract as much information about users as possible, and some do it behind the scenes.
The leaders in terms of the volume of collected data were Booking.com, MakeMyTrip and HotelTonight. It turned out that absolutely all tested applications have access to users’ geolocation. However, half, including Booking.com, do not even inform about this.
Moreover, individual applications can read SMS, access the camera, microphone and files on the device. Some are even able to make calls on behalf of the smartphone owner.
After analyzing 22 popular travel apps with millions of downloads, Cybernews experts found out what data they collect and what they have access to on users' devices. First, the data provided in the “Data Security” section of the Google Play Store was examined. However, it turned out that the developers' statements often do not correspond to reality.
“A well-designed application should only request the permissions that are necessary for it to function. Users should always be careful about granting access and verify it carefully. Unfortunately, our investigation showed that this is not always observed,” said security researcher Mantas Kasilauskis.
What data do apps collect?
Location
Travel apps typically request access to users' location to offer local services and excursions. However, this data makes it possible to track people's movements and find out where they live and work.
For attackers, such information is a valuable resource for carrying out digital and physical attacks. It can also be used for targeted advertising or sales to third parties. All tested services have access to precise geographic coordinates ( including latitude and longitude coordinates ), but many hide this fact.
Camera
Fourteen of the 22 apps request access to the device's camera to take photos, record videos, and make video calls. Ten of them do not disclose that they have collected camera-related data. Justification for the need for camera access is usually limited to general language like “for application functionality” and “analytics,” which raises doubts about the legality of such permissions.
Phone status and IMEI
Some apps have risky permissions to read phone data that can identify the user and device. They can get IMEI, IMSI, phone number, serial number and SIM ID.
It's important to note that such data is typically only needed by system apps or apps signed with a platform key, and requesting it from travel apps raises serious questions.
File systems and system settings
HotelTonight, a hotel booking app, requests access to mount and unmount file systems on the device. The file system is an integral part of the operating system (OS). It organizes files and directories, tracks their location, and maintains file metadata for efficient search and storage of data.
The Hilton Honors app may close system dialogs, which also poses a risk of interfering with the device. Trip.com has the right to make changes to your device configuration, such as changing language, screen orientation, keyboard layout, and other device settings. It also allows you to change system settings such as Wi-Fi, Bluetooth, sound or display.
SMS messages
MakeMyTrip, India's popular hotel, flight and transport booking app that has been downloaded over 50 million times, can read all SMS messages stored on a device, including sender and recipient information and message dates. This raises questions about the need for such access for an application designed for booking hotels and transport. SMS messages often contain sensitive information such as one-time passwords and verification codes, making this access particularly risky.
Accessing device storage
Travel apps also actively seek access to device storage.
Fourteen apps have the ability to read and write data to external storage, while the Hopper app can only read files stored on the device. Only three applications openly declare the collection of data related to files and documents, while the rest chose to remain silent about their right to access this data.
Device storage permission is sensitive because it allows an app to read, write, modify or delete data on external storage, including SD card and other external media.
Access to device storage may include user files such as photos, videos, documents, and other sensitive information. If such data is mishandled or falls into the hands of malicious actors, it can lead to data loss and privacy violations.
Microphone access
Three apps - Hotwire, Trip.com and MakeMyTrip - have permission to access the microphone and record audio from the device. Trip.com openly states this on Google Play Store, while MakeMyTrip and Hotwire do not mention it.
Contact details
MakeMyTrip, Hilton Honors and Hopper apps have access to the user's contacts. However, only MakeMyTrip is open about collecting this data. Contact information may contain sensitive information about friends, family and colleagues, making it especially sensitive.
Calls on behalf of the user
Three apps - MakeMyTrip, Hilton Honors and Trip.com - have permission to access messages and calls on the device without revealing this information to users. This allows apps to send text messages and make calls on behalf of the user, which can lead to privacy violations and fraud.
Companies reaction
A MakeMyTrip spokesperson said that all permissions in the app are optional and are requested only in certain cases. For example, camera access is used to upload profile photos and verification documents such as currency exchange documents and visa applications. Call access is required to allow users to directly contact support through the app. Permissions to read external storage and phone state are used to address "very specific cases" and are requested based on the specific use case, with an appropriate explanation provided.
A Marriott Bonvoy representative noted that location data and camera access improve the user experience. For example, location data helps users find and book hotels, while camera access allows users to scan credit cards to add to their app profile. Both of these features are subject to the user's consent and settings can be changed at any time at the user's discretion.
A Trivago spokesperson stressed that all users of the platform must consent to the use of geolocation features. This allows users to search for hotels nearby by displaying them on a map along with the user's current location, making the process of finding a suitable place to stay much easier.
A spokesperson for Kayak and Momondo said the company is actively looking into why location information is not listed among the data collected in the Google Play Store, despite taking steps to disclose this information. Location data and camera access are used to improve the user experience, such as finding nearby airports and hotels. Users must enable access to these features within the app themselves.
