Popular travel apps have inadequate security
Travel apps have evolved to make life easier for users, with regular updates and enhancements to features and usability. But new research highlights inadequate security in the 10 most popular mobile apps for travel on both Android and iOS devices.
The study by self-defending app specialist Bluebox looked at more than a dozen security parameters in the 10 most popular travel apps on the App Annie iOS Top App Charts and Google Play Top App Charts and revealed that critical flaws were present in all of the apps examined.
Flaws found include a lack of data security with only one in ten Android apps and none of the ten iOS apps examined encrypting the data stored, leaving sensitive information easily obtainable by attackers. Additionally, only two of the ten Android apps and one of the ten iOS apps used certificate pinning -- a technology for securing app data in transit and preventing 'man in the middle' attacks.
The study also uncovered the potential for app manipulation. Four out of ten Android apps and six out of ten iOS apps contained code that could enable admin functionality not intended for a normal user to access, and which would grant special privileges for the end-user if enabled. None of the apps incorporated anti-tampering measures either, so attackers could activate restricted functionality and take full control of apps to alter them for their own gain or to launch attacks on other apps.
On average, the app vendor is responsible for creating only 30 percent of the code, while the remaining 70 percent was made up of third-party components. As OpenSSL bugs like Heartbleed have demonstrated, third party libraries present a huge potential attack surface and expose security blind spots for developers.
"All of the apps we reviewed could be modified and changed to act in ways other than what the developers intended, putting sensitive information at risk regardless of device," says Andrew Blaich, lead security analyst at Bluebox Security. "Data must be protected at the application level and security should be integrated into the development process. Without it, users -- enterprise employees and consumers alike -- could suffer damaging loss of important and personal information".
More information on the results is available on the Bluebox website.