September 16, 2015 By Jaikumar Vijayan 3 min read

Many of the popular mobile travel apps that consumers use to book flights, hotel reservations and other travel arrangements are riddled with critical vulnerabilities that put consumer data at risk.

Travel Apps Are a Security Minefield

Mobile application security vendor Bluebox Security recently reviewed the 10 most popular mobile travel applications for both iOS and Android devices in its “2015 Travel App Security Study.” It found that virtually none of them had adequate controls for protecting credit card information, travel history and other sensitive data. Bluebox compared each app against a list of more than one dozen basic security features to see how the programs would measure up.

What it discovered was quite eye-opening. For instance, only 1 in 10 of the Android applications reviewed encrypted data at rest, while not one of the iOS travel apps had that feature. As a result, sensitive data collected by these apps — including usernames, passwords and credit card numbers — is stored in plaintext in the applications. Only one of the 10 iOS apps and just two of the Android applications had controls for encrypting data in transit.

None of the programs had any anti-tampering mechanisms to prevent threat actors from reverse engineering the applications, inserting malicious code and redistributing them. Only two of the apps studied used even rudimentary obfuscation techniques to prevent cybercriminals from gleaning how the application’s code works at a cursory glance, Bluebox said. Not one of either the Android or the iOS mobile travel apps had the ability to detect jailbroken or rooted devices.

A Worrisome Trend

The Bluebox review uncovered other shortcomings as well. Some 40 percent of the Android applications and 60 percent of the iOS programs contained features that could let users take full administrative control of the application, including the ability to debug it. The admin/debug code present in these applications is typically meant for use by developers and testers — not end users.

The review suggested that the makers of travel apps are focused more on integrating new features and functions into their products than they are with security, Bluebox said in a statement announcing the results. “In too many cases, rapid advancement in these apps have completely overlooked security,” the company said.

This trend is worrisome, considering the enormous popularity of mobile travel applications. Last year, a report from Criteo showed that travel bookings using mobile phones are growing sharply: Smartphones and tablets account for 21 percent of all hotel bookings. Additionally, the average value of air travel reservations made via mobile devices was 21 percent higher than the average value for desktop bookings, and the figure was 13 percent higher for car rentals, the study showed.

Third-Party Code Use

One major problem appears to be the heavy code reuse in mobile travel applications. On average, barely 30 percent of the code in the applications that Bluebox reviewed was developed internally. The remaining code consisted of third-party software components and libraries assembled from multiple sources.

The practice of using code from external sources to build mobile applications is fairly common. Many developers use such code to integrate common functions such as data storage and networking in their products. The practice allows developers to focus on their area of specialization while also getting products to market faster.

However, the massive amount of third-party code present in the travel applications reviewed is worrisome, Bluebox said. The tendency to rely so heavily on external code greatly increases the risk of vulnerabilities being introduced in products without the developer’s knowledge, the report indicated.

Bluebox did not identify any of the applications that it reviewed by name and instead merely noted that the apps it looked at were based on App Annie’s list of the top iOS and Android apps in the mobile travel category. Users must remain aware of the risks present in any mobile app they download and ensure they aren’t handing out unprotected personal information.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today