September 16, 2015 By Jaikumar Vijayan 3 min read

Many of the popular mobile travel apps that consumers use to book flights, hotel reservations and other travel arrangements are riddled with critical vulnerabilities that put consumer data at risk.

Travel Apps Are a Security Minefield

Mobile application security vendor Bluebox Security recently reviewed the 10 most popular mobile travel applications for both iOS and Android devices in its “2015 Travel App Security Study.” It found that virtually none of them had adequate controls for protecting credit card information, travel history and other sensitive data. Bluebox compared each app against a list of more than one dozen basic security features to see how the programs would measure up.

What it discovered was quite eye-opening. For instance, only 1 in 10 of the Android applications reviewed encrypted data at rest, while not one of the iOS travel apps had that feature. As a result, sensitive data collected by these apps — including usernames, passwords and credit card numbers — is stored in plaintext in the applications. Only one of the 10 iOS apps and just two of the Android applications had controls for encrypting data in transit.

None of the programs had any anti-tampering mechanisms to prevent threat actors from reverse engineering the applications, inserting malicious code and redistributing them. Only two of the apps studied used even rudimentary obfuscation techniques to prevent cybercriminals from gleaning how the application’s code works at a cursory glance, Bluebox said. Not one of either the Android or the iOS mobile travel apps had the ability to detect jailbroken or rooted devices.

A Worrisome Trend

The Bluebox review uncovered other shortcomings as well. Some 40 percent of the Android applications and 60 percent of the iOS programs contained features that could let users take full administrative control of the application, including the ability to debug it. The admin/debug code present in these applications is typically meant for use by developers and testers — not end users.

The review suggested that the makers of travel apps are focused more on integrating new features and functions into their products than they are with security, Bluebox said in a statement announcing the results. “In too many cases, rapid advancement in these apps have completely overlooked security,” the company said.

This trend is worrisome, considering the enormous popularity of mobile travel applications. Last year, a report from Criteo showed that travel bookings using mobile phones are growing sharply: Smartphones and tablets account for 21 percent of all hotel bookings. Additionally, the average value of air travel reservations made via mobile devices was 21 percent higher than the average value for desktop bookings, and the figure was 13 percent higher for car rentals, the study showed.

Third-Party Code Use

One major problem appears to be the heavy code reuse in mobile travel applications. On average, barely 30 percent of the code in the applications that Bluebox reviewed was developed internally. The remaining code consisted of third-party software components and libraries assembled from multiple sources.

The practice of using code from external sources to build mobile applications is fairly common. Many developers use such code to integrate common functions such as data storage and networking in their products. The practice allows developers to focus on their area of specialization while also getting products to market faster.

However, the massive amount of third-party code present in the travel applications reviewed is worrisome, Bluebox said. The tendency to rely so heavily on external code greatly increases the risk of vulnerabilities being introduced in products without the developer’s knowledge, the report indicated.

Bluebox did not identify any of the applications that it reviewed by name and instead merely noted that the apps it looked at were based on App Annie’s list of the top iOS and Android apps in the mobile travel category. Users must remain aware of the risks present in any mobile app they download and ensure they aren’t handing out unprotected personal information.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today