With summer travel nearing, we are revealing findings of the riskiest travel applications. The apps, frequently used by consumers, include Disneyland, Uber, Southwest Airlines, and Waze. Kryptowire’s threat research team ran a risk assessment through its Mobile Application Security Testing (MAST) on commonly used applications associated with travel and ranked the threat scores of the highly-downloaded apps on iOS devices. For a high-level overview on this topic, read our blog here.

• Disneyland – Threat Score: 85
• Uber – Request a Ride – Threat Score: 83.6
• Waze – Threat Score: 82.9
• Southwest Airlines – Threat Score: 82.2

The official mobile app for the Disneyland Resort gives guests planning tools, park updates and exclusive content. Their website tells guests to have the latest version, with notifications and location services enabled to get the most out of the app’s features.

• Disneyland has permissions to the Microphone
• Disneyland has permissions to the Camera
• Disneyland has permissions to Camera Roll
• Disneyland has access to location at all times
• Disneyland has access to contact list
• Disneyland has access to Bluetooth

These permissions are invasive to the users’ privacy. For accessing the microphone, the apps privacy policy gives the reasoning “This app uses your microphone to let you record audio messages.” For accessing the Camera, the reasoning given is “This app uses your camera feature to let you capture photos and videos, scan tickets and other items, and participate in certain interactive experiences.” For accessing your location, the privacy policy states “‘While Using’ means we may use your location when the app is open to enable certain features and interactions, provide you with valuable updates and offers, and improve overall experience. Selecting ‘Always Allow’ will allow your location to be used for some of the above purposes even when you do not have the app open. Please note if you enable Bluetooth for this app, we may infer the location of your device based on Bluetooth beacons it interacts with at Disney Parks and Resorts, even if you turn off Location Services.”

It’s important to note that even if you turn off location services, if permissions are given for Bluetooth, it’s possible the app will track your location through Bluetooth beacons. This approach has been a mainstay for many companies for years.

The Disneyland app has several code quality issues and the app collects a lot of data. But we saw that their privacy statements are much more explicit, the company is transparent on what they do with the data, including the location data they collect. They state “We will not share your personal information with a third party outside The Walt Disney Family of Companies except in limited circumstances, including:” very limited exemptions.

Do you really need an app to go to Disneyland? Also, be mindful of what permissions you allow, and at the end of your trip, open the app permissions and turn everything off, then delete the application till you need to use it again.

Uber is a platform where those who drive and deliver can connect with riders, eaters, and restaurants. In cities where Uber is available, you can use the Uber app to request a ride.

• Uber has permissions to the Camera
• Uber has permissions to Camera Roll
• Uber has access to Microphone
• Uber has access to Contact List
• Uber has access to location at all times

Uber has an extensive privacy policy for accessing the Camera, the reasoning given is “This allows you to take photos from within the app”. While the reasoning for accessing the Camera Roll is “This allows you to select a profile photo from the photo library on your phone.” This poses the question on why the application continuously needs access to a photo library. For accessing your contact list, the reasoning given is “Selected contacts will be uploaded to Uber’s servers. https://privacy.uber.com/policy.”In section three of the privacy policy, it states that data collected is “from other sources, such as other users or account owners, business partners, vendors, insurance and financial solution providers, and governmental authorities.”

Uber’s privacy statements make clear who they share their information with: “We share personal data with our subsidiaries and affiliates to help us provide our services or conduct data processing on our behalf. For example, Uber processes and stores such data in the United States on behalf of its international subsidiaries and affiliates.” Also listed on their privacy policy, they state “Uber provides personal data to vendors, consultants, marketing partners, research firms, and other service providers or business partners. These include:…”

Additionally, Uber makes clear that they collect location data, device data, and the company combines this data with data from other sources and third parties. This means that Uber has the potential to build a complex and detailed profile about who you are, where you are and what you like to do, including information from your social media. Ultimately, users of the application must be comfortable with this type of information they are allowing to be shared, or collected to use this app.

The privacy policy for Uber states that the company enables users to request access to or copies of their data, changes or updates to their accounts, or deletion of their accounts, or that Uber restricts its processing of user personal data. You can enable/disable any of the permissions you give the application. Also, you can opt out of certain marketing choices, which reduces the amount of information the company collects.

The Waze app keeps drivers and passengers up to date of issues in traffic while driving. The application allows you to highlight an incident on the app for everyone to see, helping you to avoid unnecessary traffic.

• Waze has permissions to the Camera
• Waze has permissions to Camera Roll
• Waze has access to Microphone
• Waze has access to Contact List
• Waze has access to Bluetooth
• Waze has access to location at all times

Waze states the reason for accessing a user’s microphone is for it to “allow you to use voice commands, including address entry, for safe driving.” When looking into why the application wants to access a camera roll is because it “used to select your profile picture”, which means the application only needs to access your photos one time. The application’s reasoning behind accessing your calendar is to “get reminders based on real-time traffic. Event info is sent to Waze”. This information is concerning because event info isn’t critical for Waze to operate.

In the privacy policy provided by Waze, the company states, “Waze does not sell, rent or lease your personal information to third parties,” which is reassuring. However, there are exceptions to this statement. For instance, they say “Waze may also share personal information with companies or organizations connected or affiliated with Waze, such as subsidiaries, sister-companies, and parent companies,” and they work with advertising and measurement services whom they also share data with. When connecting social media profiles to the application, the company’s privacy policy states, “Through this option, you may choose to have personal information and other content about you available from social networks, transmitted and shared through the Services. Similarly, you may choose to have personal information and other content about you available from Waze, including your location and route information, transmitted to and shared through your social network account.”

Similar to the other applications, the way to reduce impact is to only have the app track your location “while in use.” Also reduce the application’s permissions once you have uploaded your profile picture and no longer need Waze to access your camera roll.

This app is used to access the services of Southwest Flight Services.

• Southwest has permissions to the Camera
• Southwest has permissions to Camera Roll
• Southwest has access to Contact List
• Southwest has access to location at all times

These permissions are invasive into the privacy of the user. The privacy policy states the reasoning for accessing the camera is because “We use camera to scan your bags.” The reasoning given for accessing the camera roll is “Supports reading card information” And for accessing the contact list, the reasoning given is “We use your contacts to help quickly fill in forms,” which I believe is for emergency purposes. Lastly, for accessing your location, the reasoning given is “Activate location services to instantly find your nearest airport, view the standby list when you’re on it, and know when a Lyft ride is available to you (iPhone only).”

While doing the Kryptowire MAST scan, we were alerted that memory protections are disabled for this application. Memory Protections are used to make it more difficult for the app to be attacked. A common vector for attacking applications is through their misuse of memory handling. These protections help deal with some of these types of issues.

In an application as specialized as Southwest, the justification that this app needs to always know your location is difficult to understand. The idea that the company needs to know your location 24/7 to instantly find the nearest airport isn’t a strong reasoning for giving up such personal information. Having access to the contacts to fill out information is another nebulous requirement.

Please understand that while a reasoning is given, there are no checks within the code which restricts what the permissions are really used for. While we cannot confirm location data is being sold in any of these apps, it is common to sell anonymized location data. The idea of anonymized location data is a farce, it is trivial to de-anonymize location data.

Removing all the permissions listed above will quickly mitigate the privacy risk.

Many users are quick to allow access to personal information without hesitation. However, in recent years, it’s become apparent that many apps are collecting and leaking an excessive amount of personal data, resulting in serious privacy issues. The four most requested mobile app permissions are location data, microphone, camera and camera roll. It is important to know what types of data you are allowing applications to access and make sure it is as limited as possible. In the wrong hands, access to data from your microphone or camera could be used to steal sensitive material. If leaked, your business or personal information can be exploited. Stay safe and limit data overexposure, don’t overprescribe your data to access apps. If it’s not fundamental to the app’s core function, don’t allow them to collect it, or store it.