A Cybernews report reveals that 22 notorious travel apps access personal data and critical system files on Android. Access permissions which sometimes seem to be hidden from users despite the GDPR and pose risks to the proper functioning of the device. The ultimate fear is to see hackers get their hands on the databases of these applications and grant themselves access rights to the data.
Are travel apps a little too greedy for personal data? This is the observation made by our colleagues at Cybernews during a survey conducted among 22 Android applications widely used in the hotel and travel sector. The analysis reveals that certain applications grant themselves the right to read all exchanges by SMS – this is notably the case of the Indian OTA MakeMyTrip –, access the camera or microphone – 14 of the 22 applications tested travel apps -, read user files and even modify system settings, as is the case for HotelTonight in particular, an application belonging to the Airbnb group.
The top 22 travel apps on Android that consume the most personal data. Credit: Cybernews
“ Apps that request sensitive permissions, especially those related to system files and device configuration, are red flags that may suggest malicious intent or poor code design., warns Mantas Kasiliauskis, security researcher. According to information from Cybernews, Booking.com, MakeMyTrop and HotelTonight are among the most intrusive.
At the top, apps that claim to access the user’s phone camera, at the bottom, those that do so without asking the user’s permission. Credits: Cybernews
A lack of transparency
Others even have the ability to make phone calls. The problem does not lie so much in the power given to them but rather in the fact that certain actors do not explicitly reveal that they use this personal data, both in the information displayed in the Google Play Store and in the files published by the developers. This behavior is nevertheless condemned by the GDPR, which calls for total transparency when it comes to using users’ personal data.
Travel apps that have permission to read phone data, according to Cybernews report. Credits: Cybernews
“ A well-designed app should only request permissions that are essential to its operation. Users should therefore always exercise caution when granting permissions to apps and review them carefully. Unfortunately, our investigation revealed that this is not always the case,” deplores Mantas Kasiliauskis.
Access to sensitive device data
Access to the international mobile equipment identity (IMEI), the international mobile subscriber identity (IMSI), the telephone number or even the serial number of the device and the identifier unique to the SIM card, turns out to be particularly risky and unjustified, according to cybersecurity specialists. The researcher points to the security risks associated with the discovered permission allowing HotelTonight to manipulate and modify files at the system level.
At the top, travel apps that claim to collect geolocation data; in the middle, those which provide access to approximate or precise geolocation; at the bottom, those who do not declare access to geolocation data. Credits: Cybernews
Just like the fact that applications such as Hilton Honor or Trip.com are able to modify the configuration of a device, for example by changing the language, screen orientation, keyboard layout and others. device settings. Enough to disrupt the user experience or interfere with the functioning of other applications. By hacking the databases of these applications, hackers would have free rein to interfere with the proper functioning of users’ mobile phones.
Optional authorizations, ensure MakeMyTrip and Marriott Bonvoy
“We favor transparency by clearly explaining the reason for each authorization. For example, camera access is used to upload profile photos and verification documents, including for currency exchanges and visa applications.defends a MakeMyTrip spokesperson to Cybernews, stressing that the requested authorizations were optional.
A speech taken up by a representative of Marriot Bonvoy emphasizing the optional nature of geolocation and camera access authorizations. “They are neither mandatory nor set by default at the time of downloading the app – the app user must give specific permission in their mobile device settings”, he explains. For their part, Kayak and Momondo said they were investigating the fact that the authorizations requested by their application are not clearly reported on the Google Play Store. As a reminder, the permissions granted to applications can be reviewed from the phone settings via the “Application Manager” or from the “Applications” tab.
Opening photo: Pathum Danthanarayana
Also read:
