Many of the popular mobile travel apps that consumers use to book flights, hotel reservations and other travel arrangements are riddled with critical vulnerabilities that put consumer data at risk.
Travel Apps Are a Security Minefield
Mobile application security vendor Bluebox Security recently reviewed the 10 most popular mobile travel applications for both iOS and Android devices in its “2015 Travel App Security Study.” It found that virtually none of them had adequate controls for protecting credit card information, travel history and other sensitive data. Bluebox compared each app against a list of more than one dozen basic security features to see how the programs would measure up.
What it discovered was quite eye-opening. For instance, only 1 in 10 of the Android applications reviewed encrypted data at rest, while not one of the iOS travel apps had that feature. As a result, sensitive data collected by these apps — including usernames, passwords and credit card numbers — is stored in plaintext in the applications. Only one of the 10 iOS apps and just two of the Android applications had controls for encrypting data in transit.
None of the programs had any anti-tampering mechanisms to prevent threat actors from reverse engineering the applications, inserting malicious code and redistributing them. Only two of the apps studied used even rudimentary obfuscation techniques to prevent cybercriminals from gleaning how the application’s code works at a cursory glance, Bluebox said. Not one of either the Android or the iOS mobile travel apps had the ability to detect jailbroken or rooted devices.
A Worrisome Trend
The Bluebox review uncovered other shortcomings as well. Some 40 percent of the Android applications and 60 percent of the iOS programs contained features that could let users take full administrative control of the application, including the ability to debug it. The admin/debug code present in these applications is typically meant for use by developers and testers — not end users.
The review suggested that the makers of travel apps are focused more on integrating new features and functions into their products than they are with security, Bluebox said in a statement announcing the results. “In too many cases, rapid advancement in these apps have completely overlooked security,” the company said.
This trend is worrisome, considering the enormous popularity of mobile travel applications. Last year, a report from Criteo showed that travel bookings using mobile phones are growing sharply: Smartphones and tablets account for 21 percent of all hotel bookings. Additionally, the average value of air travel reservations made via mobile devices was 21 percent higher than the average value for desktop bookings, and the figure was 13 percent higher for car rentals, the study showed.
Third-Party Code Use
One major problem appears to be the heavy code reuse in mobile travel applications. On average, barely 30 percent of the code in the applications that Bluebox reviewed was developed internally. The remaining code consisted of third-party software components and libraries assembled from multiple sources.
The practice of using code from external sources to build mobile applications is fairly common. Many developers use such code to integrate common functions such as data storage and networking in their products. The practice allows developers to focus on their area of specialization while also getting products to market faster.
However, the massive amount of third-party code present in the travel applications reviewed is worrisome, Bluebox said. The tendency to rely so heavily on external code greatly increases the risk of vulnerabilities being introduced in products without the developer’s knowledge, the report indicated.
Bluebox did not identify any of the applications that it reviewed by name and instead merely noted that the apps it looked at were based on App Annie’s list of the top iOS and Android apps in the mobile travel category. Users must remain aware of the risks present in any mobile app they download and ensure they aren’t handing out unprotected personal information.