Airlines Apps Might Know More Than You Think, Study Finds
Cybernews analyzed the 14 popular airline apps; investigation revealed some apps might have sensitive access to travelers’ devices.
Note: TDWI's editors carefully choose vendor-issued press releases about new or interesting research and services. We have edited and/or condensed this release to highlight key study results or service features but make no claims as to the accuracy of the vendor's statements.
Cybernews researcher's investigation into the airlane app permissions on users’ devices showed that many of the tested apps might have sensitive access to your phone and data once installed. According to the data presented by the researchers, American Airlines and United Airlines were found to collect the most data from all the investigated apps. In contrast, Philippine Airlines collected the fewest data points.
Researchers tested the 14 apps for sensitive Android permissions to check whether the airline apps can access user location, camera, storage, phone state, microphone, contacts, accounts on the device, messages, and calls. Research results showed that not all apps disclose the data points on Google Play Store that may be collected by the permissions that users grant to the app on their device.
All of the tested airline apps had access to an exact user location. Most airlines declared they locate their users mainly for app functionality, personalization, and marketing reasons. Unfortunately, not all airlines mention they collect passenger locations via airline apps. Those that do not disclose it are RyanAir, FlyDelta, and Aegean.
Spirit and Frontier Airlines disclose that they collect only the approximate user location; the permissions allow access to the exact location.
Out of 14 apps examined, 12 had camera permission. However, only three airlines disclosed the collection of camera-related data, naming it as part of the app’s functionality and security and compliance attempts. Others have not disclosed it, but the permission is present in the app.
Among airline apps that do not disclose that they are collecting camera-related data are Air Asia, Fly Delta, Spirit Airlines, Southwest Airlines, Frontier Airlines, Singapore Airlines, Vietnam Airlines, and Aegean Airlines.
Eleven tested apps could read and write into device storage, and one app had permission only to read the files on the device’s storage. The data that apps can access may include user-generated files, photos, videos, documents, and other private data. If exploited by malicious actors, it can potentially cause data loss and privacy breaches.
Only three airlines disclosed that they collect data related to files, claiming it is needed for app functionality, analytics, and security reasons. The remaining nine airlines have not mentioned that they potentially have access to the storage.
The investigation found that nine airline apps had permission to read the user’s phone state information, which is considered sensitive because it grants an app access to data that can identify the device and user. This information can include sensitive information such as the device's phone number, network status, network operator, IMEI codes, SIM card, and information about the internet provider.
Researchers found that four airline apps have this permission to access the microphone, but none of the airlines disclose it on the Play Store. Airlines that have access to the microphone and do not disclose collecting audio-related data are AirAsia, United Airlines, RyanAir, and Singapore Airlines.
Contact information is sensitive, as it may contain private data about friends, family, colleagues, and acquaintances. However, three tested apps (AirAsia (can read and write), Turkish Airlines (can only read), and Vietnam Airlines (can only read)) had access to users' contact lists and associated information on the device.
This is highly concerning because airlines do not need access to user contacts to accommodate clients’ trips. None of the app developers disclose this permission to be present.
The permission to get accounts grants an app access to the user's accounts associated with the device. This would mean that the app can retrieve a list of accounts, including email addresses, registered on the device, e.g., Google, Meta, Samsung, and other accounts.
From the tested airline apps, Ryanair can access account data on the device. This type of permission for an airline app is unnecessary for its functionality but could potentially have privacy and security risks.
Four airlines had yet another redundant permission to access SMS and calls on users' devices without disclosing it. Apps with such permission can send text messages and call on behalf of the user. Airlines that have access to SMS and calls and do not disclose it are Turkish Airlines, United Airlines, and Spirit Airlines.