Popular Travel iOS Apps Request Excessive User Data Permissions
Alex Lisle and Melissa Gaffney | May 25, 2022
Alex Lisle and Melissa Gaffney
May 25, 2022
With summer travel nearing, we are revealing findings of the riskiest travel applications. The apps, frequently used by consumers, include Disneyland, Uber, Southwest Airlines, and Waze. Kryptowire’s threat research team ran a risk assessment through its Mobile Application Security Testing (MAST) on commonly used applications associated with travel and ranked the threat scores of the highly-downloaded apps on iOS devices. For a high-level overview on this topic, read our blog here.
Riskiest iOS Travel Applications
- Disneyland – Threat Score: 85
- Uber – Request a Ride – Threat Score: 83.6
- Waze – Threat Score: 82.9
- Southwest Airlines – Threat Score: 82.2
The official mobile app for the Disneyland Resort gives guests planning tools, park updates and exclusive content. Their website tells guests to have the latest version, with notifications and location services enabled to get the most out of the app’s features.
- Disneyland has permissions to the Microphone
- Disneyland has permissions to the Camera
- Disneyland has permissions to Camera Roll
- Disneyland has access to location at all times
- Disneyland has access to contact list
- Disneyland has access to Bluetooth
It’s important to note that even if you turn off location services, if permissions are given for Bluetooth, it’s possible the app will track your location through Bluetooth beacons. This approach has been a mainstay for many companies for years.
The Disneyland app has several code quality issues and the app collects a lot of data. But we saw that their privacy statements are much more explicit, the company is transparent on what they do with the data, including the location data they collect. They state “We will not share your personal information with a third party outside The Walt Disney Family of Companies except in limited circumstances, including:” very limited exemptions.
Ways to Reduce Impact
Do you really need an app to go to Disneyland? Also, be mindful of what permissions you allow, and at the end of your trip, open the app permissions and turn everything off, then delete the application till you need to use it again.
Uber - Request a Ride
Uber is a platform where those who drive and deliver can connect with riders, eaters, and restaurants. In cities where Uber is available, you can use the Uber app to request a ride.
- Uber has permissions to the Camera
- Uber has permissions to Camera Roll
- Uber has access to Microphone
- Uber has access to Contact List
- Uber has access to location at all times
Additionally, Uber makes clear that they collect location data, device data, and the company combines this data with data from other sources and third parties. This means that Uber has the potential to build a complex and detailed profile about who you are, where you are and what you like to do, including information from your social media. Ultimately, users of the application must be comfortable with this type of information they are allowing to be shared, or collected to use this app.
Ways to Reduce Impact
The Waze app keeps drivers and passengers up to date of issues in traffic while driving. The application allows you to highlight an incident on the app for everyone to see, helping you to avoid unnecessary traffic.
- Waze has permissions to the Camera
- Waze has permissions to Camera Roll
- Waze has access to Microphone
- Waze has access to Contact List
- Waze has access to Bluetooth
- Waze has access to location at all times
Waze states the reason for accessing a user’s microphone is for it to “allow you to use voice commands, including address entry, for safe driving.” When looking into why the application wants to access a camera roll is because it “used to select your profile picture”, which means the application only needs to access your photos one time. The application’s reasoning behind accessing your calendar is to “get reminders based on real-time traffic. Event info is sent to Waze”. This information is concerning because event info isn’t critical for Waze to operate.
Ways to Reduce Impact
Similar to the other applications, the way to reduce impact is to only have the app track your location “while in use.” Also reduce the application’s permissions once you have uploaded your profile picture and no longer need Waze to access your camera roll.
This app is used to access the services of Southwest Flight Services.
- Southwest has permissions to the Camera
- Southwest has permissions to Camera Roll
- Southwest has access to Contact List
- Southwest has access to location at all times
While doing the Kryptowire MAST scan, we were alerted that memory protections are disabled for this application. Memory Protections are used to make it more difficult for the app to be attacked. A common vector for attacking applications is through their misuse of memory handling. These protections help deal with some of these types of issues.
In an application as specialized as Southwest, the justification that this app needs to always know your location is difficult to understand. The idea that the company needs to know your location 24/7 to instantly find the nearest airport isn’t a strong reasoning for giving up such personal information. Having access to the contacts to fill out information is another nebulous requirement.
Please understand that while a reasoning is given, there are no checks within the code which restricts what the permissions are really used for. While we cannot confirm location data is being sold in any of these apps, it is common to sell anonymized location data. The idea of anonymized location data is a farce, it is trivial to de-anonymize location data.
Ways to Reduce Impact
Removing all the permissions listed above will quickly mitigate the privacy risk.
Many users are quick to allow access to personal information without hesitation. However, in recent years, it’s become apparent that many apps are collecting and leaking an excessive amount of personal data, resulting in serious privacy issues. The four most requested mobile app permissions are location data, microphone, camera and camera roll. It is important to know what types of data you are allowing applications to access and make sure it is as limited as possible. In the wrong hands, access to data from your microphone or camera could be used to steal sensitive material. If leaked, your business or personal information can be exploited. Stay safe and limit data overexposure, don’t overprescribe your data to access apps. If it’s not fundamental to the app’s core function, don’t allow them to collect it, or store it.