IHG® Hotel Booking Deals (Android / Google Play)

175x175bb (96)

This application is available for Android. This app is designed to make it easier than ever to research, book and manage your stay at all of your favorite IHG brands – InterContinentalР’В® Hotels & Resorts, Hotel IndigoР’В®, Crowne PlazaР’В® Hotels & Resorts, Holiday InnР’В® Hotels and Resorts, Holiday Inn ExpressР’В®, Staybridge SuitesР’В®, Candlewood SuitesР’В®, etc. That’s more than 4,600 hotels across more than 100 countries. The latest build was released on June 25, 2017. Our latest check was performed on Apr 16th, 2017.

Findings Summary

Our examination revealed total 34 items, where were 8 DAR items and 26 DIT items found. Among DAR items were found 0 worst items, 5 bad items, 0 good items, and 2 best items. Among DIT items were found 1 worst item, 0 bad items, 22 good items, and 2 best items.

Below you find 4 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

With the IHG® app, you can simply and easily take control of booking and managing your hotel stays at more than 5,000 hotels in over 100 countries, with a wide range of features to help make sure you get the most out of every trip. The world is yours for the exploring, right at your fingertips in one, convenient place on your device as you search for great stays at any of the outstanding IHG® brands you trust: InterContinental® Hotels & Resorts, Hotel Indigo®, Crowne Plaza® Hotels & Resorts, Holiday Inn® Hotels & Resorts, Holiday Inn Express®, Staybridge Suites®, Candlewood Suites®, EVEN™ Hotels, HUALUXE™ Hotels & Resorts, and Kimpton Hotels®!
App Features:

  • Quickly and easily book at any of our 5,000 hotels while you’re on the go.
  • Manage every step of your stay; from communicating with the hotel and setting preferences, to transportation, dining, and area attractions.
  • Guest reviews from travelers just like you to help you find the perfect hotel for your stay.
  • Access to special IHG® offers and discounts.
  • View your current charges during your stay*.
  • Trouble-free, convenient departures via Mobile Check-Out, plus an instantly emailed copy of your bill*.
  • View your past stays, check on points earned, and access your hotel bill.
  • Use IHG® Rewards Club points to redeem free Reward Night stays, Digital Rewards downloads and much more
  • Explore the many ways to Earn Rewards including Bonus Points Packages and exciting partnerships.
  • Track your IHG® Rewards Club points balance and progress towards Elite status.
  • Turn your phone horizontally to show your IHG® Rewards Club or Ambassador card.
  • Get special rates using your corporate ID.
  • Learn what makes each of IHG”s® 12 brands the right fit for your business trip or vacation.

Use the app the get immediate access to guest reviews from fellow travelers so you’ll have no doubts you’re booking just the right hotel in just the right location, be it for business or pleasure (or both). Then once you’ve decided on your IHG® hotel, making a reservation and letting the hotel know your preferences has never been more seamless! And because you downloaded the IHG® app, you’ll always have the reassurance of our Best Price Guarantee, have access to convenient car rental and UBER arrangements, get to plan that great meal with comprehensive dining info, keep an eye on your current charges during your stay, and make your departure as smooth as it gets with Mobile Check-Out. When you’re looking, booking, getting ready for your stay, and during your time with us, the IHG® app will be right there keeping you informed and efficient every step of the way.

Finally, because there are so many tremendous advantages to enrolling in IHG® Rewards Club, the IHG® app lets you join right in the app so you can immediately start earning points you can later redeem for Reward Nights, Digital Rewards and more. We don’t want you to miss a single point or benefit. In fact, IHG® is the only hotel company that rewards members for exploring all the great brands in the IHG® family. As an Elite member, you get complimentary room upgrades, guaranteed room availability, priority check-in and more! Plus, all IHG® Rewards Club and Ambassador members stay easily connected with free Internet access at every IHG® hotel. And, of course, the IHG® app also keeps you on top of your points progress and IHG® Rewards Club account.

We invite you to download the IHG® app now for seamless searching, booking and stay management in one convenient place on your device. And happy travels!

* At participating hotels

The IHG® Best Price Guarantee is our promise that the very best hotel room price for any IHG® property can be found in the app or on our website(s), or your first night is free.

Enabling location services for the app will let you search and book at hotels near you.

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Application Information, Account Information, Loyalty Information, Credentials Information, Log Information, Analytics ‘n’ Ads Information.
The average DAR value is 4.00 points (7.00 points of system protection and 1.00 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Account Details (‘Loyalty Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Log Data (‘Log Information’ Group) – Logged any data as a solid file or multipart files. This data item related to mentioned group meant to be any information stored in local or network logs,

– Device Details (‘Analytics ‘n’ Ads Information’ Group) – Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 7.50 points (7 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, compliance but there are publicly known techniques to access the data including forensics one where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – compliance encryption algorithms ‘n’ security mechanisms implementations.

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Analytics ‘n’ Ads Information, Device Information, Credentials Information, Loyalty Information, Account Information, Financial Information, Travel Information, Booking ‘n’ Purchases Information.
The average DIT value is 4.81 points (5.54 points of system protection and 4.08 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 0.00 points (0 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, data ‘as is’ and easily accessed (plaintext, no protection at all) where system protection level means – transferred (or supposed to be) ‘as is’ (plaintext) due to jailbreak/root or preinstalled non-trusted firmware, certificates, etc., and own protection level means – transferred as is, perhaps protection mode turns off or doesn’t exist or info reveal eventually.

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements

Items’ GROUP #2 with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device,

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Loyalty Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Account Data (‘Account Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Address Data (‘Account Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Card Short Number (‘Financial Information’ Group) – Several digits of your card from 4 to 6 first digits and from 6 to 4 last digits. This data item related to mentioned group meant to be any info that describe payments capabilities,

– Account Data (‘Loyalty Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Card Address (‘Financial Information’ Group) – Home or work address of owner related to his bank account and cards. This data item related to mentioned group meant to be any info that describe payments capabilities,

– Tracked Data ‘n’ Favorites (‘Travel Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Tracked Data ‘n’ Favorites (‘Loyalty Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Orders & Reservation Details (‘Booking ‘n’ Purchases Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Orders & Reservation History (‘Booking ‘n’ Purchases Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Travel Details (‘Travel Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– GEO Data (‘Analytics ‘n’ Ads Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Device Details (‘Analytics ‘n’ Ads Information’ Group) – Includes basic device details plus hardware key and fingerprints as well as IMEI. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– GEO Data (‘Travel Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Media Data (‘Travel Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– GEO Snapshots (‘Travel Information’ Group) – Image-based snapshots of geodata info referred to the places. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– GEO Snapshots (‘Booking ‘n’ Purchases Information’ Group) – Image-based snapshots of geodata info referred to the places. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases

Items’ GROUP #3 with average value 5.50 points (6 points of system protection, 5 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – server-side limitations (SSL validation/pinning, limited access to outdated records) and client-side limitations (pinning with user-decision behavior, additionally ecnrypted/hashed data item, or own cert storage).

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Loyalty Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.

Items’ GROUP #4 with average value 7.00 points (6 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, compliance but there are publicly known techniques to access the data including forensics one where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – own vpn or own crypto but compliance.

– Card Short Information (‘Financial Information’ Group) – Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be any info that describe payments capabilities,

– Credentials (Access IDs) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually don’t give full access to your account because based on permissions linked to these access tokens). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.