From Booking.com to Airbnb, Hilton to Radisson, every travel app you use for your next vacation will try to tap into your data. An investigation by Cybernews researchers revealed that some won’t even tell you what secrets they extract from you. According to the data presented by the researchers, Booking.com, MakeMyTrip and HotelTonight are the real “ champions » of data collection.
According to the survey, half of 22 widely used hospitality and vacation planning apps, including Booking.com, will not inform customers that they are collecting their location data. Some apps can simply read users’ SMS messages, access the camera and microphone, and play the files. Some of the apps tested can even make a call on the user’s behalf.
A well-designed app should only ask for permissions essential to its operation, so users should always exercise caution when granting permissions to apps and review them carefully. Apps requesting sensitive permissions, especially those related to system files and device configuration, are red flags potentially suggesting malicious intent or poor code design
said Mantas Kasiliauskis, security researcher at Cybernews.
All applications have access to a precise location
The investigation shows that all apps tested by the researchers had access to the user’s precise and exact location, including latitude and longitude coordinates. Unfortunately, many of them have decided to keep this information secret. Booking.com, Agoda, Momondo, Hilton Honors and six other apps do not disclose location-related data collection.
Travel apps frequently request access to users’ precise locations to provide better services. However, granting this access will allow these apps to track your movements and know where you live and work.
A dozen apps have access to your camera
14 of the 22 travel apps tested have access to the device’s camera to take photos, record videos, and make video calls. An app could potentially do this without user consent, compromising the user’s privacy and security.
Ten apps did not disclose camera-related data collection on the Google Play Store. Agoda, Marriott Bonvoy, Radisson Hotels, Trip.com, Momondo, and others are among them. Those who disclosed it indicated that this authorization was mainly necessary for “ application functionality ” and the “ analyzes “. Booking.com, Tripadvisor, MakeMyTrip, HostelWorld and HotelTonight claim to collect camera data.
Some apps know your phone numbers and IMEI
According to the research, some travel apps have particularly risky accesses that allow them to read the phone’s state, which could allow them to identify the user and the device. Booking.com, Expedia, Hilton Honors, Hotels.com, Hotwire, Trip.com and other apps have permission to read phone status.
This permission allows extraction of various user identifiers, such as International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), phone number, device serial number and the unique identifier of the SIM card. A major concern is that hotel and rental booking apps have no legitimate reason to ask users for such permissions, as they do not need them to function properly.
MakeMyTrip app can read your SMS messages
The research found that MakeMyTrip, a popular app in India with over 50 million downloads for booking hotels, flights and transportation, can read SMS messages stored on the device. This includes information about the sender and recipient as well as the dates of the messages.
HotelTonight can manipulate file systems
An Airbnb-owned accommodation booking app – HotelTonight – asks users for access to mount and unmount file systems on the device.
A file system is an integral part of an operating system (OS). It organizes files and directories, tracks their locations, and maintains file metadata, ensuring efficient data retrieval and storage. Discovery permission allows the application to manipulate and modify files at the system level, which can cause serious security risks.
Hilton can control the dialogs opened on your device
The Hilton Honors app has permission to access the system components of the device. This permission allows an application to instruct the system to close all open system dialogs, including critical user interface (UI) components such as notification, recent applications screen, and power off dialog.
Although this permission is primarily used by the device’s system, mishandling it could cause the application to forcefully close system dialogs and interfere with the regular operation of the device’s user interface.
A Chinese giant can change languages and modify settings
The Trip.com app, with over 10 million downloads, can change the device’s settings and system configuration. This application potentially has the right to manipulate the device configuration, such as changing the language, screen orientation, keyboard layout and other device settings. It allows the app to change system settings such as WiFi, Bluetooth, sound or display.
Fourteen travel apps can read your files
Fourteen travel apps had the means to read and write to external storage, while Hopper could only read files stored on the device. Only three applications (Booking.com, MakeMyTrip and HotelTonight) are transparent about the collection of “ files and documents “. At the same time, others, such as Tripadvisor, Agoda, Hotels.com, Trip.com and others, have decided to remain silent on the right to collect file-related data.
Permission to access a device’s storage is sensitive because it allows an application to access, write, modify or delete data on external storage, including an SD card and other external media . Access to a device’s storage may also include user files, such as photos, videos, documents, and other confidential information.
Some apps have access to your microphone and can make calls on your behalf
Three of the twenty-two travel apps tested – Hotwire, Trip.com and MakeMyTrip – have permission to access the device’s microphone and record audio input.
Trip.com has disclosed on the Play Store that it collects voice and sound recordings. In contrast, MakeMyTrip and Hotwire do not disclose audio-related data collection, but microphone access permission is built into their apps. Booking.com states on the Play Store that it collects audio-related data.
These apps know who is in your contact list
The permission was found on three travel apps – MakeMyTrip, Hilton Honors and Hopper – allowing users to read the device’s contact lists. This is of great concern because travel apps do not need access to user contacts to arrange customer trips. MakeMyTrip is transparent, while Hilton Honors and Hopper developers do not disclose contact data collection.
Research methodology
The Cybernews research team examined 22 widely used hospitality and vacation planning apps, downloaded by millions of users on the Google Play Store, to determine what data they access and may collect.
First, the team analyzed what data these apps claim to collect on the Google Play Store, as they are required to do so in the “ Data security “. However, claims on the Play Store do not necessarily show the whole picture, as developers fill out this section manually, and one should not blindly trust these claims. So, the researchers decided to go further and check whether the developers’ claims were up to par. Not only do some apps not reveal that they are collecting your sensitive data, but there also appears to be no legitimate reason to collect it.
The report is available at https://cybernews.com/privacy/top-travel-apps-privacy/
Author Bio
A connoisseur of the digital marketplace and a master of the written word, this 30-year-old English expert brings to the table a wealth of knowledge rooted in the sale of digital products and a passion for blogging that resonates with an audience seeking expertise and insight in the online realm.
Their insights are drawn from hands-on experience navigating the intricacies of e-commerce and content creation—leading the forefront of digital innovation and communication. Whether it’s breaking down complex marketing strategies or sharing tips on how to captivate an online audience, their work stands as a testament to a career built upon successful digital engagement and savvy business acumen.
Stay tuned to absorb compelling content from a voice that not only understands the digital landscape but also shapes its future through every blog post and digital strategy.
