Cybernews research reveals that the most popular airline apps might have sensitive access to travelers' devices.
Airline apps have become synonymous with travel, with paper tickets on the road to extinction. While nearly every airline existent has a mobile app to provide customers with fast check-in, ticketing, and booking services, it might also be intruding into a user’s privacy and posing cybersecurity risks.
In 2022, AirAsia was allegedly hit by a ransomware attack that resulted in data of over five million passengers and employees being stolen. Just this month, another threat actor claimed to have breached AirAsia again, and the National Cyber Security Agency (NACSA) in Malaysia stated that the airlines are investigating the claims.
Airlines, in general, process a tremendous amount of sensitive passenger data. With big airlines firmly on threat actors' radar, the security of passenger data is becoming more important than ever.
On March 21st, 2024, the US Department of Transportation (DOT) announced that it would undertake a privacy review of the nation’s ten largest airlines to determine how passenger data is collected and handled.
And at Cybernews, we’ve taken a look at 14 popular aviation apps to find out what data the apps collect. A deeper investigation into the app permissions on users’ devices showed that many aviation apps, once installed, might have sensitive access to your phone and data, and not all airlines disclose this.
Here are the apps we investigated:
- Air Asia
- Turkish Airlines
- American Airlines
- United Airlines
- Fly Delta
- Ryanair
- Spirit Airlines
- Southwest Airlines
- Frontier Airlines
- Alaska Airlines
- Singapore Airlines
- Philippine Airlines
- Vietnam Airlines
- Aegean Airlines
What data do airline apps claim to collect?
Airlines already have tons of sensitive data about their customers, including passport data, travel routes, in some cases, biometric and health-related data. The airlines' apps contribute to collecting and processing an even wider array of customer data.
Google Playstore asks developers to disclose how the app collects, shares, and handles user data. Users can find this information in the “Data Safety” section before downloading the app. We checked what data apps declare to collect to define the most and least data-hungry.
American and United Airlines were found to collect the most data from all the apps that we investigated. Philippine Airlines collected the fewest data points. Most of the apps stated that they share a part of collected user data with third parties.
However, that’s not all in this story. The “Data Safety” section on Playstore is filled out by the developers themselves manually. Google can only hope that developers will be honest and diligently disclose correct and accurate information to the user.
Risky app permissions on a device
A “Data Safety” disclosure on the store does not give the entire picture of what data could potentially be gathered by the app, as it does not disclose what permissions the app has on the device.
A well-designed app should only request permissions that are essential for its functionality. Users should always exercise caution when granting permissions to apps and review them carefully.
We have tested the same 14 apps for sensitive Android permissions to check whether the airline apps can get access to:
- User location
- Camera
- Storage
- Phone state
- Microphone
- Contacts
- Accounts on the device
- Messages and calls
These permissions are considered sensitive. Apps that request them should provide clear explanations of why they need access, and users should understand how the app will use this data.
Our results showed that not all apps disclose the data points on Google Playstore that may be collected by the permissions that users grant to the app on their device.
According to Google Support, the information in the app permissions list may be different from what's in the “Data safety” section for three reasons:
1) The app accesses data to process it on the device but doesn’t collect or share it.
2) The app collects data in a way that’s not managed by permissions
3) The service or data type in the permissions list isn’t covered in the Data Safety section.
Cybernews contacted the airlines to provide more information on why the apps need sensitive permissions for user’s devices. A response is yet to be received.
Every travel app has access to your location
Location permissions are considered highly sensitive because they grant an app access to the device's precise and accurate location information, including latitude and longitude coordinates.
Permissions name:
- ACCESS_FINE_LOCATION
- ACCESS_COARSE_LOCATION
The location might be needed for airline app functionality to accommodate flight searches. Physical location tracking is also useful for providing location-based offers, services, and relevant information.
Most airlines promote car rental, accommodation, and other vacation services, so precise locations are gold for targeted advertisement. Also, location could be needed for location-based tools such as maps.
However, apps requesting access to a precise location can track users’ movements and provide a detailed picture of daily routines, revealing their home and workplace, which can potentially compromise users’ privacy and security if the data falls into the wrong hands.
All of our tested airline apps had access to an exact user location. Most airlines declare that they locate their users mainly for app functionality, personalization, and marketing reasons.
Unfortunately, not all airlines mention they collect passenger locations via airline apps. Among the ones that do not disclose it are Ryanair, FlyDelta, and Aegean.
Spirit and Frontier Airlines disclose that they collect only the approximate user location, while the permissions allow access to the exact location.
Why apps collect location data, according to information on Google Playstore:
- Air Asia: App Functionality, Advertising or Marketing, Personalization
- Turkish Airlines: App Functionality
- American Airlines: App Functionality
- United Airlines: App Functionality, Analytics, Advertising or Marketing, Fraud Prevention, Security and Compliance, Personalization
- Spirit Airlines: Analytics, Personalization (discloses only to collect approximate location)
- Frontier Airlines: Analytics (discloses only to collect approximate location)
- Southwest Airlines: App Functionality, Personalization
- Alaska Airlines: App Functionality
- Singapore Airlines: App Functionality, Analytics
- Philippine Airlines: App Functionality
- Vietnam Airlines: App Functionality, Fraud Prevention, Security and Compliance
Access to camera
This permission allows apps to interact with the device’s camera, enabling features such as taking photos, recording videos, and conducting video calls.
In the context of airline apps, this permission would be needed for functionalities where the user would take a photo and submit it to the airlines via the app, e.g., submitting a passport or other document to the support. However, such a use case is highly questionable.
12 out of 14 tested apps had camera permission. However, only three of the airlines disclosed the collection of camera-related data, naming it as part of the app’s functionality and security and compliance attempts. Others have not disclosed it, but the permission is present in the app.
Permission name:
- CAMERA
The camera is a sensitive hardware component that can potentially capture visual information about the user's surroundings. If compromised, camera permission could grant malicious actors access to the user's camera and microphone without their knowledge.
Why the app collects camera-related data, according to information on the Google Play Store:
- American Airlines: App Functionality, Fraud Prevention, Security and Compliance
- United Airlines: App Functionality, Analytics, Fraud Prevention, Security and Compliance
- Ryanair: App Functionality
Airline apps that do not disclose to collect camera-related data:
- Air Asia
- Fly Delta
- Spirit Airlines
- Southwest Airlines
- Frontier Airlines
- Singapore Airlines
- Vietnam Airlines
- Aegean Airlines
Access to storage
Storage is the third most wanted app gain. Eleven tested apps could read and write into device storage, and one app had permission only to read the files on the device’s storage. Access to storage might potentially be needed to download boarding passes or other files related to the airlines’ services.
Permissions names:
- WRITE_EXTERNAL_STORAGE
- READ_EXTERNAL_STORAGE
However, permission to access the device’s storage is considered sensitive because it grants an app the ability to write and modify data on the external storage of the device, which includes the SD card and other external storage media.
The data that apps can access may include user-generated files, photos, videos, documents, and other private data. If exploited by malicious actors it can potentially cause data loss and privacy breaches.
Only three airlines disclosed that they collect data related to files, claiming it is needed for app functionality, analytics, and security reasons. The remaining nine airlines have not mentioned that they potentially have access to the storage.
Why apps need access to your storage, according to information on the Google Play Store:
- American Airlines: App Functionality, Fraud Prevention, Security and Compliance
- United Airlines: App Functionality, Analytics, Fraud Prevention, Security and Compliance
- Ryanair: App Functionality
Airline apps that do not disclose to collect data related to storage:
- Spirit Airlines
- Air Asia
- Southwest Airlines
- Frontier Airlines
- Singapore Airlines
- Vietnam Airlines
- Aegean Airlines
- Fly Delta (can only read storage)
Reading phone state
The permission to read phone status is another permission that’s widely used by the tested airline apps. We found that nine airline apps had this permission.
Reading phone state information is considered sensitive because it grants an app access to data that can identify the device and user.
Permission name:
- READ_PHONE_STATE
This information can include sensitive information such as the device's phone number, network status, network operator, IMEI codes, SIM card, and information about the internet provider.
If fallen into the wrong hands, this permission could be used to sniff the communication taking place on the device.
Why apps collect phone state data, according to information on Google Play Store:
- Air Asia: App Functionality, Analytics, Personalization
- United Airlines: App Functionality, Analytics, Developer Communications, Advertising or Marketing, Fraud Prevention, Security and Compliance, Personalization, Account Management
- Ryanair: Fraud Prevention, Security and Compliance
- Spirit Airlines: Analytics
- Southwest Airlines: App Functionality, Analytics
- Frontier Airlines: App Functionality, Analytics, Fraud Prevention, Security and Compliance
- Singapore Airlines: Analytics, Developer Communications, Advertising or Marketing
- Vietnam Airlines: App Functionality, Advertising or Marketing, Fraud Prevention, Security and Compliance, Account Management
Access to microphone
Microphone permission is used to access the device's microphone and record audio input. If exploited, the permission might lead to unauthorized surveillance, capturing sensitive conversations and personal information. It might also be used for unconsented marketing.
We found that 4 airline apps have this permission. None of the airlines disclose it on Playstore.
Permission name:
- RECORD_AUDIO
Airlines that have access to the microphone and do not disclose collecting audio-related data on Google Play Store:
- Air Asia
- United Airlines
- Ryanair
- Singapore Airlines
Access to your contacts
Permission to access contacts allows apps to write and read contact lists on the device.
Contact information is sensitive, as it may contain private data about friends, family, colleagues, and acquaintances, including names, phone numbers, email addresses, and other contact details.
If misused, this permission might lead to unwanted data scraping, infringement of user privacy, or even exploitation of data in crafting various fraudulent schemes.
Permissions name:
- READ_CONTACTS
- WRITE_CONTACTS
Three apps had access to users' contact lists and associated information on the device. This is highly concerning, as airlines definitely do not need access to user contacts for accommodating clients’ trips. None of the app developers disclose this permission to be present.
Airlines that have access to contact data and do not disclose to collect contacts-related data on Google Play Store:
- Air Asia (can read and write)
- Turkish Airlines (can only read)
- Vietnam Airlines (can only read)
Ryanair can access account data on the device
The permission to get accounts grants an app access to the user's accounts associated with the device. This would mean that the app can retrieve a list of accounts, including email addresses, that are registered on the device, e.g., Google, Meta, Samsung, and other accounts. This type of permission for an airline app is not needed for its functionality but could potentially have privacy and security risks.
Permission name:
- GET_ACCOUNTS
Account information can contain sensitive data, including email addresses, usernames, and account identifiers. This information can be personally identifiable and is tied to the user's online identity.
Access to the user's accounts can be invasive to their privacy, as it can reveal the user's online presence, communication channels, and potentially sensitive account data. All of this could also be exploited by threat actors.
Some airlines could call on your behalf
Four airlines had yet another redundant permission to access SMS and Calls on users' devices without disclosing it. Apps with such permission can send text messages and call on behalf of the user.
Permission name:
- CALL_PHONE
If exploited, the access to the calling functionality can lead to privacy breaches and fraudulent spamming communications, that can potentially cause harm.
Airlines that have access to SMS and Calls and do not disclose it:
- Turkish Airlines
- United Airlines
- Spirit Airlines
Airlines response
To Cybernews' inquiry about why FlyDelta app needs access to location, camera, and storage, without disclosing it on the Google Play Store, Delta Airlines spokesperson responded: “Delta holds a high standard of care for customer data privacy and we work continually to ensure our products and services are safe, secure and compliant.”
Southwest Airlines explained that Camera access is needed for their ‘Parking Spot’ feature, which allows a customer to take a photo of where they parked their car and save the photo to the app. “The photo is not saved to, or read from, any files external to the app,” wrote the airlines spokesperson.
According to Southwest, permission to write to the storage is used for customers to save an image of their boarding pass directly to their photos folder for accessing it while offline or in a location with poor internet connection. “Read External Storage” permission is used by a third-party vendor.
A response from other airlines is yet to be received.
Stay safe
Sensitive permission misuse can lead to potentially harmful consequences for users. One of the most significant risks is privacy invasion, as apps with risky permissions can access sensitive information without proper consent.
Improperly handled permissions can also compromise data security, leaving user data vulnerable to unauthorized access, identity theft, or data breaches.
Apps that misuse permissions or consume excessive resources can negatively impact device performance, leading to slowdowns, crashes, or battery drain.
Cybernews advises always reviewing the permission requests before allowing access. Pay attention to permissions that seem unnecessary for the app's intended functionality. On the Android OS, you can manage and revoke app permission on your device’s settings by navigating to “Application Manager” or “Apps.”
Your email address will not be published. Required fields are markedmarked