Research: Paris 2024 Olympic apps ask for dangerous permissions
July 2024 by CyberNews
As Paris city attracted a large number of sports tourists, the apps for the Olympic Games 2024 are tracking them, extracting private data, and peddling it to advertisers and big tech.
According to a report from the Cybernews research team, which selected 12 Android apps relevant to the Olympic Games attendees in Paris and tested their permissions, the apps designed to help users during the Olympics are underreporting their data collection scope on Google Play Store, require excessive dangerous permissions, and share sensitive user data with advertisers.
There is no privacy during the Olympics
Bonjour RATP app, a travel app for navigating Paris, buying transportation tickets, and finding routes, is the most data-hungry app in the selection. The Data Safety section reveals that it collects 18 data points from 38 possible and shares most of them with third parties.
Not only does Bonjour RATP collect precise location data for its functionality, but it also shares the user’s location for the declared purposes of advertising, fraud prevention, security, and compliance. The app has more than 10 million downloads on Android.
TheFork app, Europe’s leading restaurant booking platform, collects 15 data points and zaps almost all of them to third parties. Even email addresses and phone numbers are shared for advertising or marketing purposes, the app developer declares.
Citymapper app, another city transport app with more than 10 million downloads, collects 14 data points, but advertising is not mentioned among the declared purposes for sharing.
The Paris 2024 Olympics and The Paris 2024 Public Transport apps require 9-11 data points each.
The Paris 2024 Olympics app, already downloaded more than 10 million times, collects user data, such as web browsing history, email addresses, devices, and other IDs, and beams it to advertisers. It also asks for multiple dangerous permissions that allow it to tap into the deepest secrets you may hide on your Android phone.
The International Olympic Committee (IOC) openly admits that it collects personal data, builds user profiles, and shares data with advertisers, including Facebook, Google, Apple, or X.
"When required, prompts are presented to users to allow them to consent to specific features to enhance their app experience. When first interacting with the app, users may agree to or reject cookies. At any time, users have control over the permission they granted via the device and app settings," IOC said to Cybernews.
The Paris 2024 Public Transport app, made by a government agency, will share names, emails, and app activity. Security and compliance, fraud prevention, functionality, advertising, and analytics are all among the declared purposes.
Stakeholder Experience & Access Tool (S.E.A.T.) and PinQuest require some of the most dangerous permissions
S.E.A.T. is designed to support specific accredited stakeholders at the Games. Although it says it collects no data, it asks users for dangerous permissions to read and write to external storage, read and write contacts, check and update calendars, and access media files on the device.
Even PinQuest, a fun game to discover and test Olympic knowledge, will ask permission to access the camera and files, even if it says it does not collect any user data.
Some apps hide they want dangerous permissions
Three out of 12 analyzed apps declare they will collect precise location data. However, the researchers found that three more apps will ask for permission to know your exact latitude and longitude: Paris 2024 Olympics, Paris 2024 Public Transport, and Paris 2024 Transport Accred.
"Location data is required for providing services like venue navigation, event location information, and personalized recommendations based on user location. It may be that the data will stay on the device. However, if the service gets compromised, the users may be exposed to both digital and physical threats," said security researcher Mantas Kasiliauskis.
Half of the apps want to peek through camera, access storage
The most widely used dangerous permission, asked by seven out of 12 tested apps, was storage access, meaning that apps want to read and write files on the device. Allowing this may be dangerous, as it enables apps to check and modify files, including those on external media, such as SD cards.
"Usually, apps require storage access to cache data, such as maps, downloaded transport schedules, user preferences, and others," Kasiliauskis explains.
Half of the analyzed apps also want access to your camera, meaning they could potentially take photos and record videos without additional permission.
"Cameras have many legitimate uses, such as scanning ticket QR codes or credit cards, verification, taking selfies, reporting issues, and capturing moments. It is important to remain vigilant and ensure that cameras are only used for stated useful purposes, and not something malicious," Cybernews researchers said.
Three apps want permission to communicate with NFC tags and two apps ask permission to record audio, which might help users interact with an app via commands. However, if exploited, this permission can be used for unauthorized surveillance or unconsented marketing.
None of the app developers declared to Google that they collect video and audio recordings, and three apps declared that they collect photos.
"The app should help you enjoy the Olympics, but it shouldn’t need to know your whole life story or what websites you visit to do that. This appears as a textbook example of privacy overreach. It’s concerning, given the stated intentions to build detailed user profiles and share data with tech giants. Unfortunately, invasive data collection is a longstanding industry trend, and lots of apps try to grab more data than they need," Kasiliauskis said.
Improperly handled permissions and data can leave users vulnerable to unauthorized access, identity theft, data breaches, and other cyber threats.
Research Methodology
The Cybernews research team examined 12 Android apps relevant to the Olympic Games attendees in Paris, which can be downloaded on the Google Play Store, to determine what data they access and might collect.
First, researchers analyzed app developers’ self-declared "Data Safety" claims on the Google Play Store. These do not show the full picture but already reveal redundant data collection practices.