The report calls out numerous vulnerabilities that exposed data not only on networks, but also on users' actual devices. Here are the key takeaways:
- The study uncovered an average of 21 vulnerabilities per app.
- These vulnerabilities exposed sensitive user information to data leakage, man-in-the-middle and denial of service attacks.
- Airline apps accessed and manipulated sensitive data on phones: 90% accessed location information, 54% accessed contact lists, and just under 50% accessed picture, audio and video content.
- These apps accessed and transmitted sensitive data over insecure connections. On average, each of these apps had 14 untested/insecure connections to servers.
"Our Lab often discovers mobile applications that do not store critical data securely, or even worse, transmit them through unsecured connections," says Vivien Raoul, CTO at Pradeo.
"In the case of these airline apps, if you share a photo of your passport, it can potentially be intercepted, especially if the user is connected to an open network such as the free WiFi of an airport."
These security risks are not unique to airline travel apps. Restaurant search, dining reservation and food delivery apps that travelers turn to after they land are equally (if not more) risky.
Like the airline apps, these convenience apps are connecting to mobile devices and accessing sensitive data, including financial data to complete transactions, email addresses to set up accounts and location information to make restaurant suggestions and deliveries. And these apps are also being exploited to target travelers' phones.
For example, travel advisories for WhatsApp users were posted in mid-May after customers' phone numbers were accessed through a flaw in WhatsApp servers. The attack started through a buffer overflow flaw in the WhatsApp call answering stack. From there, malicious actors were able to call the numbers of WhatsApp users and install spyware on the target phones without the users even answering the calls.
Note, too, that restaurants also widely use WhatsApp for mobile dining and reservation apps to reach customers on their phones.
"The example of airline apps is particularly striking because of the high sensitivity of the data they handle. But when looking at other industries like banking and IoT for example, we usually draw the same conclusion. Mobile application security is often left aside, despite data privacy regulations urging companies to secure mobile apps."
Users should exercise caution and limit the number of reservation and travel apps on their phones, delete any apps they no longer use and install vendor-issued updates to those apps they do keep on their phones.
"As a user of these travel applications, be careful when using mobile apps. Don't assume that your personal information will always be protected," says Jim Bird, SANS application security instructor and author of our latest SANS Secure DevOps Survey.
Bird also encourages application developers to take care of fundamentals.
"Don't hold, use, store or share sensitive information in applications unless you absolutely have to. If you have to, then always use encryption and make sure you use it properly," he advises. "Then review and test your code carefully to catch mistakes - because even small mistakes matter."
Here are some helpful links for businesses protecting against mobile application risks among their users, as well as for developers building the apps:
For security analysts and application security managers: SANS GIAC Mobile Device Security Analyst (GMOB) Certification Training
For developers: OWASP Mobile App Standards and Guides