Security and Privacy Issues Found in Popular Travel Apps
Planned your holiday travel just yet? Too soon? Not according to experts who told The Today Show the best time to book your Thanksgiving AND Christmas travel plans are before Halloween. After Halloween, fares go up, layover possibilities increase as does ending up in the middle seat.
The truth is, whenever you book travel – and more of us are doing so using a mobile app – you must be aware of something more important than price, time and convenience.
Setting travel reservations on your app on your mobile device – whether for work or play – should not open the door to potential security and privacy risks. Unfortunately, that is exactly what is happening. And those risks don’t just impact individuals. Those risks impact businesses.
Mobile devices are endpoints with access to or containing all of the information of a traditional endpoint and are now the de facto platform for productivity in business. Today, the traditional computing devices (e.g., servers, desktops and laptops) upon which enterprises have focused their security and compliance efforts represent only 40 percent of the relevant endpoints. The remaining 60 percent of endpoints are mobile.
Meaning, when you are booking travel on your phone – business trip or family vacation – you are potentially putting yourself and your company at risk.
Mobile Travel Apps Have Real Security and Privacy Issues
We reviewed 30 of the world’s leading travel applications – based on Google Play downloads and iOS reviews – and found:
- 100% of iOS-based apps and 45% of Android-based apps failed to receive a passing privacy grade.
- 100% of iOS-based apps and 97% of Android-based apps failed to receive a passing security grade.
Privacy Risk Key Findings:
- 97% (29 apps) can take screenshots of the full UI, enabling an attacker to understand everything from installed apps to credentials.
- 73% (22 apps) implement pin-point location functionality that Apple only allows in navigation apps.
- 17% (5 apps) attempt to access contacts from Address Book, exposing these records to theft and abuse.
- 10% (3 apps) access phone call history. There is no reason for a travel app to need this information and it can expose it to an attacker.
- 7% (2 apps) use an insecure content provider; this allows other applications (e.g., a malicious app) on the device to potentially steal data from these travel apps.
Security Risk Key Findings:
- 100% (30 apps) have an authentication method that can be used to override SSL and TLS chain validation. This can allow attackers to intercept the communication of sensitive data between the app and the Internet.
- 7% (2 apps) implement an over-the air app installation method which circumvents Apple’s review process and can enable the installation of unvetted and potentially malicious functionality.
- 57% (17 apps) enables the injection of Java objects at runtime, which an attacker can leverage to inject malicious code as well.
- 53% (16 apps) have functionality that can allow attackers to more easily create imposter apps that users unknowingly download (e.g., the fake BBC app Zimperium detected).
- 20% (6 apps) enable the installation of unvetted and potentially malicious apps, code and files from remote locations.
The findings outlined here, and all of the report’s results are derived from Zimperium’s advanced mobile application scanning service, Zimperium z3A. z3A is a unique mobile security technology developed by and exclusively available to Zimperium customers.
Zimperium is providing the anonymous results of the mobile app risks to travel app providers, industry analysts and users. If you are a travel application developer/provider, Zimperium will assist you in identifying the privacy and security risks in your application.