Why would an airline want to know your ethnicity? Or look at the photos on your phone? How about access to your microphone? How about the permission to send text messages on your behalf?
Cybernews researchers recently dug into permissions that Android users are allowing airline apps to look at and possibly leverage to their advantage. Airlines already have tons of sensitive data about their customers which most people would consider fair game: passport data, travel routes, in some cases, biometric and health-related data.
But some airlines don’t stop there in collecting and processing an even wider array of customer data, instead going as far as accessing user location, camera, storage, phone state, microphone, contacts, accounts on the device, messages and calls.
According to the data presented by the researchers, 14 major airlines apps had their grubby little fingers on lots of those data points. From all the investigated apps, American Airlines and United Airlines collected the most data. Philippine Airlines, on the other hand, collected the fewest data points.
Every travel app has access to your location
The tested airline apps all had access to the exact location of the user. The majority of airlines said they locate their users primarily for app functionality, personalization, and marketing purposes. Unfortunately, not all airlines mention collecting passenger location information via airline apps.
According to the study, those that do not disclose it are RyanAir, FlyDelta, and Aegean. Spirit and Frontier Airlines disclose that they collect only the approximate user location, while the permissions allow access to the exact location.
“Most airlines promote car rental, accommodation, and other vacation services, so precise locations are gold for targeted advertisement. Also, location could be needed for location-based tools such as maps,” the researchers said.
“However, apps requesting access to a precise location can track users’ movements and provide a detailed picture of daily routines, revealing their home and workplace, which can potentially compromise users’ privacy and security if the data fall into the wrong hands.”
Access to camera and collecting storage data
Another concern the researchers found came after finding that just three of 14 airlines disclosed the collection of camera-related data when, in reality, 12 out of 14 tested apps had camera permission.
The researchers said most of those couched their access to camera data as being part of the app’s functionality and security and compliance attempts. Others have not disclosed it, but the permission is present in the app.
Among airline apps that do not disclose that they are collecting camera-related data are Air Asia, Fly Delta, Spirit Airlines, Southwest Airlines, Frontier Airlines, Singapore Airlines, Vietnam Airlines, and Aegean Airlines.
As far as collecting storage data is concerned, out of the tested apps, 11 could read and write to the device's storage – data that could include user-generated files, photos, videos, documents, and other private information. You might consider that innocent, but if a hacker got hold of your device or an airline's systems, it could potentially cause data loss and privacy breaches.
Access to your microphone and make calls on your behalf
Researchers found that four airline apps – AirAsia, United Airlines, RyanAir, and Singapore Airlines – have the audio-related permission turned on, but none disclose it on Play Store.
One oddball permission that four airlines had given themselves permission to access were SMS and calls on users' devices without disclosing it. The researchers said that apps with such permission can send text messages and call on behalf of the user and, if exploited, the access to the calling functionality can lead to privacy breaches and fraudulent spamming communications that can potentially cause harm.
The airlines that have access to SMS and calls and do not disclose it are Turkish Airlines, United Airlines, and Spirit Airlines.
Airlines response
The Cybernews researchers felt it was essential to find out exactly why these airlines were peering into all the personal data they set up access to.
In the situation with Delta – where the airline asked for location, camera, and storage, without disclosing it on the Google Play Store, a Delta spokesperson responded: “Delta holds a high standard of care for customer data privacy and we work continually to ensure our products and services are safe, secure and compliant.”
Southwest Airlines said that camera access is needed for their ‘Parking Spot’ feature, which allows someone to take a photo of where they parked their car and save the photo to the app. “The photo is not saved to, or read from, any files external to the app,” wrote the airlines spokesperson.
According to Southwest, permission to write to storage is used for customers to save an image of their boarding pass directly to their photos folder for accessing it while offline or in a location with poor internet connection. “Read External Storage” permission is used by a third party – Airship, a company providing push notifications, in-app messages and other app related solutions.
Other airlines did not respond.
Stay safe – check your permissions now
As ConsumerAffairs has found out in parallel situations with apps – school student apps, mental health apps, shopping apps, fitness apps, and prayer apps – sensitive permission misuse can turn the tables on users. Privacy invasion is a significant risk, since apps with risky permissions can access sensitive information without consent. Once that valve is turned on, user data become even more vulnerable to unauthorized access, identity theft, or data breaches.
Apps that misuse permissions or consume excessive resources can also impact device performance in a negative way – slowdowns, battery drain, or crashes.
Cybernews advises always reviewing the permission requests before allowing access. Pay attention to permissions that seem unnecessary for the app's intended functionality. On the Android OS, you can manage and revoke app permission on your device’s settings by navigating to “Application Manager” or “Apps.”
If this sounds complicated or daunting, don't worry. When ConsumerAffairs tried it, it took less than a minute per app. Here are the steps:
1. Go to Settings on your device. If you have Google Assistant installed, just press the microphone icon and say “Open Settings.”
2. Click Privacy
3. Click Permission Manager
4. Click the permissions you’d like to adjust – e.g., microphone, contacts, location, physical activity
5. Change the permissions of the apps that you don’t want following you, having access to your camera, etc. You can change the permissions to “only allow while using the app,” “ask every time,” or “don’t allow.”
One important nuance you can make while you’re in the Permission settings is this: At the very bottom of the screenshot below, you’ll see something like “See all apps with this permission.” If you click on that, you’ll be able to spot every single app that you’ve given permission to for locations. It might be a good time to review all of those.
Forewarned is forearmed
Jen Caltrider, project lead at Mozilla, told ConsumerAffairs that if anyone cares about their privacy, the best place to start is before someone downloads an app.
It is best to look at what permissions an app uses before trusting it at all, Caltrider told ConsumerAffairs. To find out what else there might be, consumers should click on “About this App” on the Google Play App Store page, scroll to the bottom, and then click on “About this App.”
“There, you will see a section called ‘Permissions’ -- click on ‘View Details’ and decide for yourself if you're comfortable with granting the app access to the data listed,” she said.