Travel apps are secretly harvesting your data| sitename

From Booking.com to Airbnb, Hilton to Radisson, every travel app you will use for your next vacation will try to milk your data. Cybernews researchers’ investigation revealed that some won’t even tell you about the secrets they are extracting from you. According to the data presented by the researchers, Booking.com, MakeMyTrip, and HotelTonight are the ultimate “champions” for data collection. 

According to the investigation, half of 22 widely used hospitality and vacation planning apps, including Booking.com, won’t tell the customers they collect their location data. (1) Some apps can simply read user SMS messages, access the camera and microphone, and read the files. Some of the tested apps can even make a call on the user’s behalf.

“A well-designed app should only request permissions that are essential for its functionality, so users should always exercise caution when granting permissions to apps and review them carefully. Apps requesting sensitive permissions, particularly those related to the device’s system files and configuration, are red flags that potentially suggest either malicious intent or poor code design,” said Cybernews security researcher Mantas Kasiliauskis.

All apps have access to an exact location

Investigation shows that all the apps researchers tested had access to the user’s precise and accurate location, including latitude and longitude coordinates. Unfortunately, many of them decided to keep this information secret. Booking.com, Agoda, Momondo, Hilton Honors, and the other six apps do not disclose collecting location-related data. (2)

Travel apps frequently request access to users’ precise locations to offer better services. However, granting this access will enable those apps to track your movements and learn where you live and work.

A dozen apps have access to your camera

14 out of 22 tested travel apps have access to the device’s camera to take photos, record videos, and conduct video calls. An app could potentially do this without user consent, compromising the user’s privacy and security. 

Ten apps failed to disclose the collection of camera-related data on the Google Play Store. Agoda, Marriott Bonvoy, Radisson Hotels, Trip.com, Momondo, and others are among them. The ones that disclosed it said such permission was mostly needed for “app functionality” and “analytics.” Booking.com, Tripadvisor, MakeMyTrip, HostelWorld, and HotelTonight declare collecting camera-related data. (3) 

Some apps know your phone and IMEI numbers

According to the research, some travel apps have particularly risky accesses that allow them to read phone state, which could allow them to identify the user and the device. Booking.com, Expedia, Hilton Honors, Hotels.com, Hotwire, Trip.com, and other apps have permission to read phone state. (4) 

This permission allows the extraction of various user identifiers, such as the International Mobile Equipment Identity (IMEI), the International Mobile Subscriber Identity (IMSI), the phone number, the device serial number, and the unique identifier for the SIM card. A significant concern is that hotel booking and rental apps do not have a legitimate reason to request such permissions from users, as they do not need them to function properly.

MakeMyTrip app can read your SMS messages

Research revealed that MakeMyTrip, a popular Indian app with over 50 million downloads for booking hotels, flights, and transport, can read SMS messages stored on the device. This includes information about the sender and receiver and the dates of the messages.

HotelTonight can manipulate file systems

An accommodation booking app owned by Airbnb – HotelTonight – requests users’ access to mount and unmount file systems on the device. 

A file system is an integral part of an operating system (OS). It organizes files and directories, tracks their locations, and maintains metadata about the files, ensuring efficient data retrieval and storage. The discovered permission allows the app to manipulate and modify files at the system level, potentially leading to serious security risks.

Hilton can control open dialogs on your device 

The Hilton Honors app has permission to access the device’s system-level components. This permission lets an app request the system close any open system dialogs, including critical user interface (UI) components such as the notification shade, recent apps screen, and power dialog.

While this permission is primarily used by the device’s system, mishandling of it might result in the app forcibly closing system dialogs and interfering with the regular operation of the device’s UI.

Chinese giant can change languages and modify settings 

Trip.com app, with over 10 million downloads, can modify a device’s system settings and configuration. This app potentially has the right to mess with a device’s configuration, such as changing the language, screen orientation, keyboard layout, and other device settings. It lets the app modify system settings like WiFi, Bluetooth, sound, or display.

Fourteen travel apps can read your files

Fourteen travel apps had the means to read and write to external storage, while Hopper could only read the files stored in the device. (5) Only three apps (Booking.com, MakeMyTrip, and HotelTonight) are transparent about collecting “files and docs.” At the same time, the rest, such as Tripadvisor, Agoda, Hotels.com, Trip.com, and others, decided to remain silent about having the right to collect file-related data.

Permission to access a device’s storage is sensitive as it enables an app to access, write, modify, or delete data on external storage, including an SD card and other external media. Access to a device’s storage may also comprise user files, such as photos, videos, documents, and other confidential information. 

Some apps have access to your microphone and  could be calling on your behalf

Three out of twenty-two tested travel apps – Hotwire, Trip.com, and MakeMyTrip – have permission to access the device’s microphone and record audio input. Trip.com disclosed on the Play Store that it collects voice and sound recordings. In contrast, MakeMyTrip and Hotwire do not disclose the collection of audio-related data, but permission to access the microphone is built into their apps. Booking.com declares on the Play Store that it collects audio-related data.

These apps know who’s on your contact list

Permission was found on three travel apps –  MakeMyTrip, Hilton Honors, and Hopper – to allow users to read a device’s contact lists. This is highly concerning, as travel apps do not need access to user contacts to accommodate clients’ trips. MakeMyTrip is transparent, while Hilton Honors and Hopper app developers do not disclose collecting contacts-related data.

Research methodology

The Cybernews research team examined 22 widely used hospitality and vacation planning apps, downloaded by millions of users on the Google Play Store, to determine what data they access and might collect.

First, the team analyzed what data these apps claim to collect at the Google Play Store since they are required to do so in the “Data Safety” section. However, the claims on the Play Store don’t necessarily show the whole picture, as developers fill this section manually, and one shouldn’t blindly trust those claims. So, researchers decided to dig deeper and check whether the developers’ claims were up to scratch. Not only do some apps fail to disclose that they collect your sensitive data, but there seems to be no legitimate reason for harvesting it, either.

Attached visuals list: 

• The visual “The most data-hungry apps” shows a list of all tested apps ranked from top to bottom.
  
   
• The visual “Apps and an exact location” shows which apps declare collecting user location data, which does not declare. 
  
   
• The visual “Apps and camera-related data” shows which apps disclose the collection of camera-related data and which do not. 
  
   
• The visual “Apps and permission to read phone state” shows which apps have permission to read phone state. 
  
   
• The visual “Apps and files related data” shows which apps disclose and which not that they are collecting files related data.