These popular travel apps could put your summer vacation plans at risk

Airport Wi-Fi
(Image credit: JESHOOTS.com/Unsplash)

Summer vacation is just around the corner and many families are planning to head out on their next big trip, but you may want to think twice before installing a number of popular travel apps as they can put both your privacy and security at risk.

According to new research from the mobile security firm Kryptowire, apps frequently used by travelers, including the Disneyland app, Uber, the Southwest Airlines app, Waze and SpotHero are less safe than they appear to be. The company’s research team ran a risk assessment using its Mobile Security Testing (MAST) on commonly used travel apps to determine their threat scores.

Of the apps tested by Kryptowire, Disneyland had the highest threat score at 85 followed by Uber at 83.6, Waze at 82.9, Southwest Airlines at 82.2 and SpotHero at 80.1. The reason the apps in question had such high threat scores is due to the amount of data they collect and the device resources they use, like a smartphone’s microphone, camera and camera roll.

Chief technology officer at Kryptowire, Alex Lisle provided further insight on the firm’s findings in a press release and why bringing your work phone on a family trip is often a terrible idea, saying:

“While it’s exciting that more people will resume leisure and business travel this summer, we can’t be naive to the risks associated with modern travel, including mobile app usage. In our new ‘hybrid work’ environment, it’s not just personal devices coming along for the ride. The lines continue to blur between personal bring your own device (BYOD) and professional devices, and its crucial employers and employees are aware of the potential risks.” 

Security and privacy risks posed by travel apps

The Disneyland app poses the largest privacy concern to users as it is capable of using multiple device-level resources including a device’s microphone, camera roll and contacts without checking for trusted environments, according to Kryptowire.

The app also has insufficient keychain protection, as the limits on when the data it stores within the keychain can be accessed are not particularly restrictive. The researchers also observed that the Disneyland app sends a device’s unique identifier across any network a smartphone with it installed is connected too.

Kryptowire’s MAST gave the app such a high threat score as a device identifier is traditionally used to track a device across multiple apps and web traffic. If this data fell into the wrong hands, it could put travelers at risk of identity theft or other attacks when visiting Disneyland.

By giving a travel app access to your device’s camera, camera roll, contact list, microphone, Bluetooth and your location at all times, you run the risk of your personal information being exposed and your privacy being compromised. For this reason, users should grant permissions to apps sparingly and ensure that an app can only access device-level resources when opened and not at all times in the background.

How to secure your devices while traveling

person on Airport free Wi-Fi using a phone

(Image credit: Shutterstock)

In the same way that you make sure you pack all of the essentials like sunscreen and your toothbrush, you should also prepare your devices and those of your children ahead of your next big trip.

For starters, every device you use while traveling should have a pin set so that it can’t be unlocked if lost or stolen. While a password is a good starting point, using biometric security such as your fingerprint or Face ID is even better.

While free hotel Wi-Fi is a perk you’re technically paying for, you may actually be better off using a mobile hotspot when traveling and this certainly true if you’re traveling abroad. If you do have to use public Wi-Fi when traveling, it’s a good idea to do so with a VPN, especially when looking at sensitive information in your banking or other financial apps.

If you do need to bring a computer with you as you just can’t live without it, it’s a better idea to leave your business laptop at home and to bring a cheaper device like a Chromebook instead. Replacing a Chromebook only costs a few hundred dollars and they’re easy to wipe whereas your work laptop is likely much more expensive and contains sensitive company data.

Another way to avoid having your travel plans spoiled is by preventing others from tracking your devices and their whereabouts. Fortunately, you can easily disable location tracking on iPhone or on Android in just a few steps. It may also be worth waiting till you get home to post your vacation photos as they can also be used to find your location. 

As for travel apps, like we mentioned before, you should limit their device-level permissions when possible and if not, make sure that they can only access your camera and microphone when opened as opposed to in the background at all times.

Many people have likely had to put off their big family trips over the past few years which is why it’s better to prepare accordingly before you leave so that you can enjoy your well-deserved vacation.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.