According to research by Cybernews, airlines are now collecting a wide array of data from apps on some user’s phones, and they could be using this data to gain an advantage.
When the researchers looked into the permissions granted to airline apps by Android users they found that, while airlines already possess vast amounts of sensitive customer data, including passport details, travel history, and even biometric and health data, some go further by accessing user location, camera, storage, phone state, microphone, contacts, and device accounts.
Among the tested apps, American Airlines and United Airlines were the most data-hungry, while Philippine Airlines collected the least.
All of the examined airline apps had access to user location, primarily for app functionality, personalisation, and marketing. However, some airlines failed to disclose this practice, including RyanAir, FlyDelta, and Aegean. Spirit and Frontier Airlines admit to collecting approximate user location but possess permissions for exact location access.
Another concerning discovery was that only three out of 14 airlines were honest about their collection of camera data, despite 12 apps having camera permissions.
Many justified this access for app functionality and security, though others neither disclosed nor justified it. Airlines failing to do this with camera-related data collection include Air Asia, Fly Delta, Spirit Airlines, Southwest Airlines, Frontier Airlines, Singapore Airlines, Vietnam Airlines, and Aegean Airlines.
When it comes to storage data, 11 apps could read and write to device storage, potentially compromising user-generated files and private information in the event of a security breach. Four airlines—AirAsia, United Airlines, RyanAir, and Singapore Airlines—possess audio-related permissions without disclosure on the Play Store.
Additionally, four airlines have granted themselves access to SMS and calls on users’ devices. This permission enables them to send texts and make calls on behalf of users, posing privacy and security risks if exploited. Turkish Airlines, United Airlines, and Spirit Airlines are among those not informing users about this access.
The researchers added: “Most airlines promote car rental, accommodation, and other vacation services, so precise locations are gold for targeted advertisement. Also, location could be needed for location-based tools such as maps.
However, apps requesting access to a precise location can track users’ movements and provide a detailed picture of daily routines, revealing their home and workplace, which can potentially compromise users’ privacy and security if the data fall into the wrong hands.”