September 16, 2015 By Jaikumar Vijayan 3 min read

Many of the popular mobile travel apps that consumers use to book flights, hotel reservations and other travel arrangements are riddled with critical vulnerabilities that put consumer data at risk.

Travel Apps Are a Security Minefield

Mobile application security vendor Bluebox Security recently reviewed the 10 most popular mobile travel applications for both iOS and Android devices in its “2015 Travel App Security Study.” It found that virtually none of them had adequate controls for protecting credit card information, travel history and other sensitive data. Bluebox compared each app against a list of more than one dozen basic security features to see how the programs would measure up.

What it discovered was quite eye-opening. For instance, only 1 in 10 of the Android applications reviewed encrypted data at rest, while not one of the iOS travel apps had that feature. As a result, sensitive data collected by these apps — including usernames, passwords and credit card numbers — is stored in plaintext in the applications. Only one of the 10 iOS apps and just two of the Android applications had controls for encrypting data in transit.

None of the programs had any anti-tampering mechanisms to prevent threat actors from reverse engineering the applications, inserting malicious code and redistributing them. Only two of the apps studied used even rudimentary obfuscation techniques to prevent cybercriminals from gleaning how the application’s code works at a cursory glance, Bluebox said. Not one of either the Android or the iOS mobile travel apps had the ability to detect jailbroken or rooted devices.

A Worrisome Trend

The Bluebox review uncovered other shortcomings as well. Some 40 percent of the Android applications and 60 percent of the iOS programs contained features that could let users take full administrative control of the application, including the ability to debug it. The admin/debug code present in these applications is typically meant for use by developers and testers — not end users.

The review suggested that the makers of travel apps are focused more on integrating new features and functions into their products than they are with security, Bluebox said in a statement announcing the results. “In too many cases, rapid advancement in these apps have completely overlooked security,” the company said.

This trend is worrisome, considering the enormous popularity of mobile travel applications. Last year, a report from Criteo showed that travel bookings using mobile phones are growing sharply: Smartphones and tablets account for 21 percent of all hotel bookings. Additionally, the average value of air travel reservations made via mobile devices was 21 percent higher than the average value for desktop bookings, and the figure was 13 percent higher for car rentals, the study showed.

Third-Party Code Use

One major problem appears to be the heavy code reuse in mobile travel applications. On average, barely 30 percent of the code in the applications that Bluebox reviewed was developed internally. The remaining code consisted of third-party software components and libraries assembled from multiple sources.

The practice of using code from external sources to build mobile applications is fairly common. Many developers use such code to integrate common functions such as data storage and networking in their products. The practice allows developers to focus on their area of specialization while also getting products to market faster.

However, the massive amount of third-party code present in the travel applications reviewed is worrisome, Bluebox said. The tendency to rely so heavily on external code greatly increases the risk of vulnerabilities being introduced in products without the developer’s knowledge, the report indicated.

Bluebox did not identify any of the applications that it reviewed by name and instead merely noted that the apps it looked at were based on App Annie’s list of the top iOS and Android apps in the mobile travel category. Users must remain aware of the risks present in any mobile app they download and ensure they aren’t handing out unprotected personal information.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today