The top 10 most popular travel apps for Android and iOS devices contain critical flaws, according to the 2015 Travel App Security Study by mobile app firm Bluebox Security. The security issues could allow sensitive user data to be compromised.
Travel apps for hotel and airline booking, ridesharing and roomsharing will be used more than ever during the upcoming holiday season, but Bluebox Security warned that the “busy travel season may also set a record season for security vulnerabilities in mobile apps.”
The top 10 travel apps were based on App Annie’s “iOS Top App Charts” and “Google Play Top App Charts.” Bluebox found that all of the apps displayed critical security issues, but key findings from the security analysis included:
- 9 of 10 Android apps and all of the iOS apps fail to encrypt data at-rest. That means “sensitive data being written from the app to the device is easily visible to attackers.”
- 8 of 10 Android apps and 9 of 10 iOS travel apps do not employ certificate pinning. That means the “data in transit from the device to app servers is not sufficiently secured against ‘man in the middle’ attacks.”
- Every app lacked anti-tamper and anti-debugging controls. In other words, “There are limited protections against manipulation of the app or creation of a malicious version of the app, similar to the recent Masque iOS attacks.”
- An average of 70% of the code in all the apps was taken from third-party libraries, which introduces large attack surfaces and many potential security blind spots.
Security analysis on travel apps
In the analysis of security features, Bluebox looked at nine categories: third party libraries, admin/debug code, server URLS, API keys, App Integrity Device Integrity (AIDI), anti-tamper/anti-debug capabilities, obfuscation and encryption.
Below are portions of Bluebox's findings.
Third party libraries: Developers often use third party libraries in their apps instead of the app being written “exclusively in-house.” In fact, Bluebox found that proprietary code only made up 30% of all code in the apps; 70% of the code comes from third party developers; this significantly increases the attack surface if a repository is compromised or if an exploitable bug is discovered. Third party libraries may be popular and make things easier when developing an app, but that code should not automatically be trusted as secure. “As OpenSSL bugs like Heartbleed demonstrated, third party libraries present a huge potential attack surface and security blind spots for developers.”
Admin/Debug code: Half of the apps analyzed by Bluebox contained admin/debug code that should be reserved for privileged users. The code could be “easily enabled” in four of 10 Android app and six of 10 iOS apps via a man-in-the-middle attack, or by “modifying the application code to turn on these buried features.” If an attacker exploited this vulnerability, it could “potentially allow an unauthenticated user access to all types of data. In the case of a travel app, this data could include credit card information, travel history, upcoming travel plans, etc. posing significant risks to the user.”
Server URLS: Bluebox discovered URL addresses to test servers used by developers, employees or testers of the apps were embedded in five of 10 Android apps and six of 10 iOS apps. An attacker could access those non-production servers and the exposure to a malicious end-user is a security risk.
API keys: Nine out of 10 Android and nine of 10 iOS apps failed to hide API keys. If an attacker took the key and accessed a third party service under the guise of a developer, he or she could potentially gain access to sensitive information.
AIDI: AIDI, which stands for “App Integrity, Device Integrity,” checks if an app or device is “in a state that could compromise the app or the data of the app.” Nine out of 10 Android and iOS apps contained some form of AIDI; “it was commonly a basic, easily bypassed jailbreak/root detect check.” Such third party library checks were “primarily used for payment services and were not involved with preventing access to the app.”
Anti-Tamper/Anti-Debug Capabilities: Not even one of the apps analyzed had anti-tampering protection. An attacker could reverse-engineer the app and insert malicious code before redistributing it via targeted attacks. In this case as well as with the admin/debug code, “attackers could activate restricted functionality and take full control of apps to alter them for their own gain or launch attacks on other apps.”
Obfuscation: Obfuscation should prevent an attacker from understanding how the app’s code works without having to work harder for it. But none of the iOS apps and only two of 10 Android apps contained even minimal code obfuscation.
Encryption: Only one Android app and zero iOS apps used any form of encryption on the data it saves to the mobile device; such data included usernames, passwords, snail-mail addresses, e-mail addresses, and credit card numbers. Bluebox wrote, “The impact is straightforward and potentially catastrophic – an attacker can easily steal sensitive user information once they have obtained access to data written to the device from the app.”
Certificate Pinning: The point of certificate pinning is to make sure the app is talking to the right server; “this helps prevent man-in-the-middle attacks, which can leak data in transit.” Although certificate pinning is considered a “best practice,” only two of 10 Android apps and one of 10 iOS app even bothered to enable it. The apps that did use it “only used it on a portion of their network connections, leaving data from the remaining network connections unprotected.”
“All of the apps we reviewed could be modified and changed to act in ways other than what the developers intended, putting sensitive information at risk regardless of device,” said Bluebox lead security analyst Andrew Blaich. “Data must be protected at the application level and security should be integrated into the development process. Without it, users— enterprise employees and consumers alike—could suffer damaging loss of important and personal information.”