Airlines apps might know more than you think; some of them could call on your behalf
Cybernews analyzed the 14 popular airlane apps, and the investigation revealed that examined apps might have sensitive access to travelers’ devices.
Cybernews researcher's investigation into the airlane app permissions on users’ devices showed that many of the tested apps might have sensitive access to your phone and data once installed. According to the data presented by the researchers, American Airlines and United Airlines were found to collect the most data from all the investigated apps. In contrast, Philippine Airlines collected the fewest data points.
What data do airline apps claim to collect?
Researchers have tested the 14 apps for sensitive Android permissions to check whether the airline apps can access user location, camera, storage, phone state, microphone, contacts, accounts on the device, messages and calls.
Research results showed that not all apps disclose the data points on Google Playstore that may be collected by the permissions that users grant to the app on their device.
Every travel app has access to your location
All of the tested airline apps had access to an exact user location. Most airlines declared they locate their users mainly for app functionality, personalization, and marketing reasons. Unfortunately, not all airlines mention they collect passenger locations via airline apps. Those that do not disclose it are RyanAir, FlyDelta, and Aegean.
Spirit and Frontier Airlines disclose that they collect only the approximate user location, while the permissions allow access to the exact location.
Access to camera: just 3 of 14 airlines disclosed the collection of camera-related data
12 out of 14 tested apps had camera permission. However, only three airlines disclosed the collection of camera-related data, naming it as part of the app’s functionality and security and compliance attempts. Others have not disclosed it, but the permission is present in the app.
Among airline apps that do not disclose that they are collecting camera-related data are Air Asia, Fly Delta, Spirit Airlines, Southwest Airlines, Frontier Airlines, Singapore Airlines, Vietnam Airlines, and Aegean Airlines.
Nine airlines have not mentioned that they potentially collect storage data
Eleven tested apps could read and write into device storage, and one app had permission only to read the files on the device’s storage. The data that apps can access may include user-generated files, photos, videos, documents, and other private data. If exploited by malicious actors, it can potentially cause data loss and privacy breaches.
Only three airlines disclosed that they collect data related to files, claiming it is needed for app functionality, analytics, and security reasons. The remaining nine airlines have not mentioned that they potentially have access to the storage.
Reading phone state: 9 of 14 analyzed airline apps had this permission
The investigation found that nine airline apps had this permission. Reading phone state information is considered sensitive because it grants an app access to data that can identify the device and user. This information can include sensitive information such as the device's phone number, network status, network operator, IMEI codes, SIM card, and information about the internet provider.
None of the investigated airlines disclose access to the microphone
Researchers found that fourth airline apps have this permission, but none of the airlines disclose it on Playstore. Airlines that have access to the microphone and do not disclose collecting audio-related data on Google Play Store are AirAsia, United Airlines, RyanAir, and Singapore Airlines.
Airlines do not need access to user contacts, but three apps have this access
Contact information is sensitive, as it may contain private data about friends, family, colleagues, and acquaintances. However, three tested apps (AirAsia (can read and write), Turkish Airlines (can only read), and Vietnam Airlines (can only read) had access to users' contact lists and associated information on the device.
This is highly concerning, as airlines do not need access to user contacts to accommodate clients’ trips. None of the app developers disclose this permission to be present.
Ryanair can access account data on the device
The permission to get accounts grants an app access to the user's accounts associated with the device. This would mean that the app can retrieve a list of accounts, including email addresses, registered on the device, e.g., Google, Meta, Samsung, and other accounts.
From the tested airlane apps, Ryanair can access account data on the device. This type of permission for an airline app is unnecessary for its functionality but could potentially have privacy and security risks.
Some airlines could call on your behalf
Four airlines had yet another redundant permission to access SMS and Calls on users' devices without disclosing it. Apps with such permission can send text messages and call on behalf of the user. Airlines that have access to SMS and Calls and do not disclose it are Turkish Airlines, United Airlines, and Spirit Airlines.