Popular iOS, Android travel apps fail in security, privacy tests

The top 30 leading Android and iOS apps in the travel and tourism business fare poorly in security and privacy tests

Cyber-risk is high for the hospitality sector, given that business and leisure travel offers a treasure trove of personal and financial data. The top 30 leading apps in the travel and tourism business -- Android and iOS -- have fared poorly in security and privacy tests, found mobile security researchers from Zimperium’s zLabs.

Of the 30 most popular travel applications on both iOS and Android in August 2019, 100 percent of iOS-based apps and 45 percent of Android-based apps failed to pass the privacy benchmark, while all iOS-based apps and 97 percent of Android-based apps failed to clear the security test, said the research report.

"We chose the Android apps based on downloads and the iOS apps based on high reviews (iOS)," Zimperium product strategy VP JT Keating told SC Media UK. "The apps are from all over the world and cater to geographies all over the world."

Researchers assigned each application a grade. Passing grade meant the app had very few risks and does an above average job of protecting user data. Average grade indicated that the app has risks that need to be addressed and does an average job of protecting user data. Failing grade showed that the app has significant risks and does a below average job of protecting user data. 

Privacy

All of the iOS-based apps and nearly half of Android-based apps analysed failed to receive a passing privacy grade. 

Nearly 98 percent (29 apps) iOS apps can take screenshots of the full UI, enabling an attacker to understand everything from installed apps to credentials, 73 percent (22 apps) implement pin-point location functionality that Apple only allows in navigation apps, and 17 percent (5 apps) attempt to access contacts from Address Book, exposing these records to theft and abuse. 

Apple iPhones was noted to offer the ability to take screenshots of iPhone screens without the knowledge or consent of the respective users, noted a research conducted by TechCrunch in February.

Android apps fared much better when it came to privacy. However, 90 percent (27 apps) of them retrieved the device’s last known GPS coordinates; 80 percent (24) included the Crashlytics SDK which can collect PII such as UUID, IP Address, name and email; 57 percent (17 apps) retrieved ClipBoard data contents, exposing any captured data to theft.

Three apps (10 percent)  had access phone call history. "There is no reason for a travel app to need this information and it can expose it to an attacker," said the report. 

Two apps (7 percent) use an insecure content provider, allowing other applications including malicious ones on the device to potentially steal data from these travel apps, noted the report.

Security

All the iOS apps observed had an authentication method that can be used to override SSL and TLS chain validation. "This can allow attackers to intercept the communication of sensitive data between the app and the Internet," said the report. 

Two of them (7 percent) implement an over-the air app installation method, which circumvents Apple's review process and can enable the installation of unvetted and potentially malicious functionality, the report noted. 

More than half of the Android apps analysed (17) enables the injection of Java objects at runtime, which an attacker can leverage to inject malicious code. 

The same number of apps enable WebView to execute JavaScript code. "This could potentially allow an attacker to introduce arbitrary JavaScript code to perform malicious actions or exploitation. This is a common attack vector that has been exploited by many zero-day vulnerabilities (e.g., Pegasus, Stagefright)," the report explained.

"The apps failed for a variety of reasons, but Zimpeirum believes the primary ones are time/feature pressures and a lack of awareness/testing around security and privacy risks and benchmarks," Keating told SC Media UK.

"There were instances where authentication steps were not done properly, and where communications were insecure, but none that blatantly omitted basic steps like passwords or two-factor authentication," he added.

Faulty steps

Travel data has always been in the news for faulty management and breaches. UK-based travel company Teletext Holidays left a trove of its customer data unsecured, exposing 0.53 million files including some to 0.2 million audio files of calls made by customers

Air Canada disclosed in August 2018 that its app has suffered a data breach, warning users that their passport details entered into the product may have been stolen.

British Airways is facing a £183 million penalty -- the first indictment under the GDPR --for the breach of its security systems in 2018. Researchers found in August that a vulnerability in its e-ticketing system has exposed personally identifiable information (PII) of its passengers.

The business pressure of getting new features forces organisations to cut corners on security and privacy protections, Keating observed. 

There was also a possibility of developers not being aware of benchmarks like the Open Web Application Security Project (OWASP) Mobile Top Ten or have testing capabilities provided by cyber-security organisations that automatically show them the risks, he added.

Lack of standardisation

The research team also analysed each of the applications against the OWASP Mobile Top 10 application development best practices. 

Of the 60 apps analysed, 92 percent (55 apps) are vulnerable to reverse engineering, which attackers use to create imposter apps; 70 percent (42) do not properly secure the communication of sensitive data; 57 percent (34) do not properly secure the storage of sensitive data; and half of them are vulnerable to code tampering.

Best practices like OWASP falls short because they are not mandatory, noted Keating.

"OWASP is a set of best practices guidelines but is not mandatory. There's not a global standard; The National Information Assurance Partnership (NIAP) in the US is likely the closest thing, but it is not mandatory either," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews