Marriott International (Android / Google Play)

175x175bb (97)

This application is available for Android. This app is designed to make booking hotels and travel accommodations with over 4,000 hotels and resorts in over 78 countries that you can quickly find accommodations and make reservations across any of Marriott’s 19 hotel brands. The latest build was released on March 10, 2017. Our latest check was performed on Feb 26th, 2017.

Findings Summary

Our examination revealed total 41 items, where were 4 DAR items and 37 DIT items found. Among DAR items were found 0 worst items, 2 bad items, 1 good item, and 1 best item. Among DIT items were found 3 worst items, 0 bad items, 32 good items, and 1 best item.

Below you find 4 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

The Marriott mobile app makes booking hotels and travel accommodations easier than ever. With over 4,000 hotels and resorts in over 78 countries, you can quickly find accommodations and make reservations across any of Marriott’s 19 hotel brands. Plus, with exclusive member benefits including mobile check-in and checkout features as well as instant room ready updates, you can manage all your trips from your mobile device.

  • With Mobile Requests, the latest feature for Marriott Rewards members, you can chat with hotel associates and make requests for amenities before you arrive. Now available at over 700 hotels and resorts around the world.
  • Mobile Check-In with Priority Room Assignments. Elite Members get access to priority late check-out requests.
  • Enjoy Marriott Rewards Member Rates where members get our lowest prices, at every hotel, all the time when booking through our app.
  • Enroll quickly in Marriott Rewards, save your preferences and earn points when booking your trip at thousands of hotels and resorts around the world.
  • Browse hotel photos, maps, city guides and amenities, or call a hotel (if supported by your device).
  • View upcoming trip reservations, add them to your calendar and make cancellations.
  • Available in English, French, Spanish, German, and Chinese.

Visit http://mobileapp.marriott.com/ for more details.
Download our app and book a trip at one of Marriott’s 19 brands including The Ritz-Carlton, EDITION, JW Marriott, Autograph Collection Hotels, Renaissance Hotels, AC Hotels by Marriott, Delta Hotels and Resorts, Moxy Hotels, Marriott Hotels, Gaylord Hotels, Courtyard, SpringHill Suites, Fairfield Inn & Suites, Protea Hotels, Residence Inn, Towneplace Suites, Marriott Executive Apartments and Marriott Vacation Club.

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Booking ‘n’ Purchases Information, Device Information, Credentials Information.
The average DAR value is 5.00 points (7.00 points of system protection and 3.00 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 6.00 points (7 points of system protection, 5 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – wiping/not storing most of time/storing up-to-date info (last 30-180 days) locally only.

– Orders & Reservation History (‘Booking ‘n’ Purchases Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases

Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #3 with average value 7.00 points (7 points of system protection, 7 points of own protection) means data protection levels have following definitions. Frankly talking, compliance but there are publicly known techniques to access the data including forensics one where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data stored in system protected place like keychain (no additional protection still).

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Device Information, Travel Information, Location ‘n’ Maps Information, Credentials Information, Personal ‘n’ Private Information, Account Information, Loyalty Information, Media Information, Analytics ‘n’ Ads Information, Booking ‘n’ Purchases Information, Payment ‘n’ Transaction Information, Financial Information, Browser Information.
The average DIT value is 4.62 points (5.51 point of system protection and 3.73 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device,

– Tracked Data ‘n’ Favorites (‘Travel Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Tracked Data ‘n’ Favorites (‘Location ‘n’ Maps Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Personalization (‘Personal ‘n’ Private Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Tracked Data ‘n’ Favorites (‘Personal ‘n’ Private Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Address Data (‘Account Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Credentials (IDs) (‘Loyalty Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Credentials (Passwords) (‘Loyalty Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Account Details (‘Loyalty Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any information related to known reward programs like membership, current rewards, etc.,

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Network Data (‘Analytics ‘n’ Ads Information’ Group) – Basic info about network used to make a connection, such as a device like IP, connection type. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Orders & Reservation Details (‘Booking ‘n’ Purchases Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Address Data (‘Travel Information’ Group) – Home, work or another type of owner address stored by apps. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– GEO Data (‘Travel Information’ Group) – Any GEO info stored as plain text referred to the places or tracked activity. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Media Data (‘Travel Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Travel Details (‘Travel Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any travel info like flight, accommodation, ground transportation, etc.,

– Card Short Information (‘Payment ‘n’ Transaction Information’ Group) – Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Card Short Information (‘Financial Information’ Group) – Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be any info that describe payments capabilities,

– Card Verification Code (‘Payment ‘n’ Transaction Information’ Group) – CVC, CVV stored separately from rest card info. This data item related to mentioned group meant to be details about transactions and payment data involved into transaction records,

– Credentials (IDs) (‘Browser Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Credentials (Passwords) (‘Browser Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Personalization (‘Browser Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Tracked Data ‘n’ Favorites (‘Browser Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Travel Details (‘Browser Information’ Group) – Full info about accommodation (hotel, address, contacts, room, date and time, facilities, media data), flights (routes, location, date and time, media data) or ground (routes, location, date and time, media data). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Orders & Reservation Details (‘Browser Information’ Group) – Full info about orders, reservations, like ID, date and time, amount of payment, flight routes, hotel or another order details, rules, linked data. This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Card Short Information (‘Browser Information’ Group) – Some info about card holder, card number full or short) and expiration. This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app,

– Card Verification Code (‘Browser Information’ Group) – CVC, CVV stored separately from rest card info. This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app

Items’ GROUP #2 with average value 0.00 points (0 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, data ‘as is’ and easily accessed (plaintext, no protection at all) where system protection level means – transferred (or supposed to be) ‘as is’ (plaintext) due to jailbreak/root or preinstalled non-trusted firmware, certificates, etc., and own protection level means – transferred as is, perhaps protection mode turns off or doesn’t exist or info reveal eventually.

– Tracked Data ‘n’ Favorites (‘Media Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Environment (‘Analytics ‘n’ Ads Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Maps Data (‘Location ‘n’ Maps Information’ Group) – Map data loaded by internal (native) or third party map applications like Apple/Google Maps or another one. This data item related to mentioned group meant to be any geodata from trackers, social networks, GPS, etc.

Items’ GROUP #3 with average value 5.50 points (6 points of system protection, 5 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – server-side limitations (SSL validation/pinning, limited access to outdated records) and client-side limitations (pinning with user-decision behavior, additionally ecnrypted/hashed data item, or own cert storage).

– Orders & Reservation History (‘Booking ‘n’ Purchases Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info related to your booking and purchases like travel, app or another kind of purchases,

– Orders & Reservation History (‘Browser Information’ Group) – Basic info about orders, reservations, like ID, date and time, amount of payment, and place (depends on apps). This data item related to mentioned group meant to be any info browser stores (credentials, history, cached documents, media, etc.) and activities made via browser instead of native app

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.