Lithuania: Research conducted by the online publication Cybernews explores how 22 travel and hotel apps access and collect user data, including location, camera and messages.
The Cybernews research team examined 22 apps downloaded on the Google Play Store. First, the team analysed what data was claimed to be collected at the Google Play Store, and then compared these results to the app itself.
The apps under review included:
• Booking.com
• MakeMyTrip
• HotelTonight
• Tripadvisor
• Vrbo
• Expedia
• Hotels.com
• KAYAK
• Momondo
• Priceline
• Hotwire
• Hostelworld
• Hopper
• Marriott Bonvoy
• Radisson Hotels
• Trip.com
• Trivago
• Hilton Honors
• Agoda
• Jetcost
• Sindibad
• Travelstart
All the apps tested have access to the user’s precise and accurate location, including latitude and longitude coordinates. Booking.com, Hopper, KAYAK, Hilton Honors, Radisson Hotels and more do not disclose collecting location data.
14 of the 22 tested travel apps have access to the device’s camera to take photos, record videos, and conduct video calls. According to Cybernews, an app could potentially do this without user consent.
10 of these apps failed to disclose the collection of camera-related data on the Google Play Store – Marriott Bonvoy, Radisson Hotels, and Agoda are among them.
Trip.com, Hotwire and MakeMyTrip all have permission to access the device’s microphone and record audio input. While Trip.com discloses on the Play Store that it collects voice and sound recordings, the other two platforms do not, however permission to access the microphone is built into the apps.
MakeMyTrip can also read SMS messages stored on the device. This includes information about the sender, receiver, and the dates of the messages.
MakeMyTrip, Hilton Honors, and Hopper can read contact lists on a device. While MakeMyTrip is transparent, Hilton Honors and Hopper do not disclose collecting contact-related data.
Booking.com, Expedia, Hilton Honors, Hotels.com, Hotwire, Trip.com, and other apps all have permission to also read phone state. This includes the extraction of user identifiers such as the International Mobile Equipment Identity [IMEI], the International Mobile Subscriber Identity [IMSI], the phone number, the device serial number, and the unique identifier for the SIM card.
Cybernews security researcher Mantas Kasiliauskis said: “A well-designed app should only request permissions that are essential for its functionality, so users should always exercise caution when granting permissions to apps and review them carefully. Apps requesting sensitive permissions, particularly those related to the device’s system files and configuration, are red flags that potentially suggest either malicious intent or poor code design.”
To read the full report, including details on an app’s ability to read files as well as company responses, click here.