From Booking.com to Airbnb, Hilton to Radisson – every travel app you use for your next vacation will try to milk your data. Worse, some won’t even tell you about the secrets they’re extracting from you.

Booking.com, MakeMyTrip, and HotelTonight are the ultimate “champions” when it comes to data collection, an exclusive Cybernews investigation has revealed.

Did you know that every travel app we tested knows your whereabouts? However, half of them, including Booking.com, won’t even tell you that they collect your location data.

Some apps can simply read your SMS messages, access your camera and microphone, and read your files.

Some can even make a call on your behalf.

But let’s not fool ourselves – we’re not about to ditch those useful apps to plan our next trip. Let’s simply dive into our findings and see what we, as users, can do to suppress the appetite of these data-hungry apps.

Methodology

We examined 22 widely used hospitality and vacation planning apps, which have been downloaded by millions of users on the Google Play Store, to determine what data they access and might collect.

First, we analyzed what data these apps claim to collect at the Google Play Store since they are required to do so in the “Data Safety” section.

However, the claims on the Play Store don’t necessarily show the full picture, as developers fill this section manually, and one shouldn't blindly trust those claims. So, we decided to dig deeper and check whether the developers’ claims were up to scratch. What did we find?

Not only do some apps fail to disclose that they collect your sensitive data, but there seems to be no legitimate reason for harvesting it, either.

The ultimate data collection champions ranked from top to bottom


However, as we already warned, app developers’ claims aren’t really that accurate. Our investigation team checked travel apps for built-in permissions that essentially allow developers to access sensitive information on users' devices, such as location, contacts, camera, microphone, and SMS messages, among other things.


“A well-designed app should only request permissions that are essential for its functionality, so users should always exercise caution when granting permissions to apps and review them carefully. Unfortunately, our investigation has revealed that this is not always the case,” said security researcher Mantas Kasiliauskis.

While travel apps are mainly used to book hotels and arrange transfers, some can apparently read SMSs and even change device settings.

“Apps requesting sensitive permissions, particularly those related to the device's system files and configuration, are red flags that potentially suggest either malicious intent or poor code design,” Kasiliauskis said.

We’ve contacted every brand mentioned in this article. Unfortunately, not all of them has replied. If they choose to do so later, we will update the article.

All apps have access to an exact location

Travel apps frequently request access to users' precise locations to offer better services. For example, they might enable location-based offers like the walking tour you might want to take in Lisbon.

However, granting this access will enable those apps to track your movements and learn where you live and work.

Were a malicious actor to access that data, you could be exposed to both digital and physical threats. Such data is also a treasure trove for companies that might serve you personalized ads or sell that data further.

All the apps we tested had access to the user’s precise and accurate location, including latitude and longitude coordinates. Unfortunately, many of them decided to keep this information secret.



A dozen apps have access to your camera

Another widely used permission – 14 out of 22 tested travel apps – is access to the device’s camera to take photos, record videos, and conduct video calls. An app could potentially do this without user consent, compromising the user's privacy and security.

Ten apps failed to disclose the collection of camera-related data on the Google Play Store. The ones that disclosed it said such permission was mostly needed for “app functionality” and “analytics.”



These apps know your phone and IMEI numbers

According to the investigation, some travel apps have particularly risky accesses that allow them to read phone state, which could allow them to identify the user and the device.

This permission allows the extraction of various user identifiers, such as the International Mobile Equipment Identity (IMEI), the International Mobile Subscriber Identity (IMSI), the phone number, the device serial number, and the unique identifier for the SIM card.

A significant concern is that hotel booking and rental apps do not have a legitimate reason to request such permissions from users, as they do not need them to function properly.

Typically, such permissions are only granted to system apps or apps signed with the platform key, as they allow access to sensitive device information.



This app can read your SMS messages

Some of the apps had even more pervasive permissions. Research revealed that MakeMyTrip, a popular Indian app with over 50 million downloads for booking hotels, flights, and transport, can read entire SMS messages stored on the device.

This includes information about the sender and receiver and the dates of the messages.

There is hardly any reason why a booking app would need to read your messages, is there? Apart from potentially private content stored in the messages, SMS often also contains sensitive information, such as verification codes or one-time passwords, that should be handled cautiously.

HotelTonight can manipulate file systems

An accommodation booking app owned by Airbnb – HotelTonight – requests users' access to mount and unmount file systems on the device.

A file system is an integral part of an operating system (OS). It organizes files and directories, tracks their locations, and maintains metadata about the files, ensuring efficient data retrieval and storage.

The discovered permission allows the app to manipulate and modify files at the system level, potentially leading to serious security risks.

Hilton can control open dialogs on your device

The Hilton Honors app, designed for managing reservations and loyalty programs for Hilton hotels and resorts, has permission to access the device's system-level components.

This permission lets an app request the system close any open system dialogs, including critical user interface (UI) components such as the notification shade, recent apps screen, and power dialog.

While this permission is primarily used by the device’s system, mishandling of it might result in the app forcibly closing system dialogs and interfering with the regular operation of the device’s UI.

Chinese giant can change languages and modify settings

Another one-stop travel app with over 10 million downloads can modify a device's system settings and configuration.

The app in question is owned by Trip.com, a China-headquartered multinational company, one of the largest online travel agencies, and a parent company of Skyscanner.

This app potentially has the right to mess with a device’s configuration, such as changing the language, screen orientation, keyboard layout, and other device settings. It also lets the app modify system settings, such as WiFi, Bluetooth, sound, or display.

Modifying these settings can potentially lead to unexpected behavior on the device, disrupt the user experience, or interfere with other apps.

These apps can read your files

Travel apps are also hungry for access to your device’s storage.

Fourteen travel apps had the means to read and write to external storage, while Hopper could only read the files stored in the device. Only three apps are transparent about collecting “files and docs,” while the rest decided to remain silent about having the right to collect file-related data.



Permission to access a device's storage is sensitive as it enables an app to access, write, modify, or delete data on external storage, including an SD card and other external media.

Access to a device’s storage may comprise user files, such as photos, videos, documents, and other confidential information. If such data is mishandled or a malicious actor accesses it, it could lead to potential data loss and privacy breaches.

Some apps have access to your microphone

Three out of twenty-two tested travel apps – Hotwire, Trip.com, and MakeMyTrip – have permission to access the device's microphone and record audio input.

Trip.com disclosed on the Play Store that it collects voice and sound recordings. In contrast, MakeMyTrip and Hotwire do not disclose the collection of audio-related data, but permission to access the microphone is built into their apps.

Booking.com declares on the Play Store that it collects audio-related data. However, we could not find permission to access the microphone when we tested the app.

If exploited, the “record audio” permission might lead to unauthorized surveillance, capturing sensitive conversations and personal information. It might also be used for unconsented marketing.

These apps know who’s on your contact list

Permission was found on three travel apps – MakeMyTrip, Hilton Honors, and Hopper – to allow users to read a device’s contact lists. This is highly concerning, as travel apps definitely do not need access to user contacts to accommodate clients’ trips.

MakeMyTrip is transparent, while Hilton Honors and Hopper app developers do not disclose collecting contacts-related data.

Contact information is sensitive, as it may contain private data about friends, family, colleagues, and acquaintances, including names, phone numbers, email addresses, and other contact details.

If misused, this permission might lead to unwanted data scraping, user privacy infringement, or even data exploitation to craft various fraudulent schemes.

Some apps could be calling on your behalf

Three travel apps – MakeMyTrip, Hilton Honors, and Trip.com – had permission to access messages and calls on users' devices without disclosure. Apps with this permission can send text messages and make calls on behalf of the user.

Access to the calling functionality can lead to privacy breaches and fraudulent spamming communications if exploited.

Company responses

A MakeMyTrip spokesperson told Cybernews that the permissions are optional and requested “only within specific flows and features of the app.”

“We prioritize transparency by clearly explaining the purpose behind each permission. For example, access to the camera is used for uploading profile pictures and verification documents, such as for forex and visa applications,” said the spokesperson.

According to the spokesperson, permission to call on the user's behalf is needed so that users can initiate calls directly to the company’s support helpline within the app.

Permissions to read external storage and phone states are used to address “very specific use cases,” and these permissions are “obtained on a per-use-case basis” by, as stated, providing the proper justification in each flow.

Permission to read messages enables auto-population of one-time passwords (OTP) during transactions, streamlining the payment process.

“India’s payment systems and customer-identification processes work differently from most other places in the world, so some permissions that we request from our users are to satisfy and ease those specific flows and to address the regulatory guidelines of the region,” said the spokesperson.

A Marriott Bonvoy spokesperson told Cybernews that location data improves the user experience when searching or browsing for hotel reservations and providing directions. At the same time, camera access allows users to scan credit cards and add them to their app account profiles.

“Both location and camera access are permission-based and granted or removed solely by the App user,” Bonvoy’s spokesperson said. “These are neither required nor set by default at the time that the App is downloaded – the App user must give specific permission in his or her mobile device settings.”

Trivago’s spokesperson told Cybernews that all users on their platform are asked for consent before the geo functionalities are activated.

“We use data to enhance the user experience on our platform. Granting these permissions allows our app users to search for nearby hotels. Accommodations can be displayed as a list or on a map, which also shows the user’s location,” explained the spokesperson.

Kayak and Momondo “actively investigating”

A Kayak and Momondo spokesperson told Cybernews that they’re “actively investigating” why location is not listed among collected data on the Google Play store, as the company has “taken the necessary steps to enable this disclosure.”

According to the spokesperson, location data and camera access are used to help improve the user experience on the apps, and users need to enable access within the app.

“For example, access to location data helps to provide travelers with airports and/or hotels “nearby” their current location, while access to the camera ensures that the users can use the in-app tools, such as KAYAK PriceCheck or the bag measurement tool," they said.

Always review permissions

Sensitive permission misuse can lead to potentially harmful consequences for users. Privacy invasion is one of the most significant risks, as apps with risky permissions can access sensitive information without proper consent.

Improperly handled permissions can also compromise data security, leaving user data vulnerable to unauthorized access, identity theft, or data breaches.

Apps that misuse permissions or consume excessive resources can negatively impact device performance, leading to slowdowns, crashes, or battery drain.

Cybernews advises always reviewing the permission requests before allowing access. Pay attention to permissions that seem unnecessary for the app's intended functionality. You can manage and revoke app permission on your device’s settings on the Android OS by navigating to “Application Manager” or “Apps.”

Updated on June 12th with the comments from Trivago, Kayak, and Momondo.