The results of a newly published study of some of the world’s most popular travel apps, on both Android and iOS platforms, make for grim reading if you like your privacy and security as much as you do an excellent money-saving travel deal. Researchers from mobile security solutions provider Zimperium tested 30 “best deal” travel applications, covering flights, hotels, car rental and the like, to better understand how they manage users’ privacy and security risk. The apps, chosen based on Google Play download counts and number of positive iOS reviews, failed miserably. How miserably exactly? The research reveals that 100% of the iOS apps failed to receive a passing privacy or security grade. The Android apps tested did better, with only 45% failing to pass the privacy tests, but 97% still failed on security.
Which travel apps are putting users at risk?
The names of the travel apps themselves have not been released; instead the app providers have been anonymized and were assigned a pseudonym and number by the researchers. I asked J.T. Keating, vice-president of product strategy at Zimperium, why the travel apps tested had not been named, which would enable users to uninstall them. “Under the principle of responsible disclosure,” Keating says, “Zimperium would like to provide app providers with the ability to fix the security and privacy risks before disclosing them publicly.” Keating says that if the apps were identified along with the specific risks found, then it would “enable hackers to quickly attack or leverage the app to compromise devices or steal data.” What Keating did tell me, however, is that the 30 apps were chosen based upon the number of downloads and positive reviews and are of the “find the lowest price, best deals for flights, hotels, etc. variety.” Apps from individual airlines, hotels, car rental firms were not tested. The total number of downloads for Android apps alone, as Google Play reveals these statistics whereas the Apple App Store doesn’t, was 478 million.
How were the travel apps tested?
The apps were awarded scores calculated using Zimperium’s z3A advanced application analysis engine across three primary categories of analysis: the Open Web Application Security Project (OWASP) mobile top 10 application development best practices, and more granular privacy and security risk data. For privacy, this included the app’s access to private user data, unique device identifiers, SMS, communications and unsecured data storage. The security risk analysis included functionality and code usage, application capabilities and critical vulnerabilities. Each app was then rated on a scale of zero to 100; the higher the rating, the higher the risk. To pass the testing regime, an app needed to demonstrate that it had very few risks and did a better than average job of protecting user data. If an app showed significant risks with a below-average job of protecting user data, it failed. Those apps that had risks that needed addressing but fared averagely when it came to protecting data were given an intermediate “average” rating.
What did the Zimperium privacy and security tests reveal?
When it came to privacy risk, 100% of the iOS apps tested failed to receive a passing grade, while only 45% of Android ones did likewise. Some 97% (29 apps) of the iOS travel apps tested were found to be able to take screenshots of the full user interface, which could enable an attacker to “understand everything from installed apps to user credentials,” the report said. Meanwhile, 73% (22 apps) implemented pin-point location functionality that Apple restricts to navigation apps, and 17% (five apps) attempted to access contacts from the address book, which could expose these to theft or abuse. As far as Android is concerned, 10% (three apps) accessed the phone call history, for no apparent legitimate reason, and another 7% (two apps) used an insecure content provider which the Zimperium report said, “allows other applications on the device to potentially steal data from these travel apps.”
As for the security side of the risk fence, 100% of the iOS apps also failed here, and the Android ones didn’t fare much better with a 97% failure rate. All 30 iOS travel apps used an authentication method that could enable attackers to intercept communication of sensitive data between the app and the internet. Another 7% (two apps) implemented an over-the-air installation method circumventing the Apple review process and so potentially enabling the installing of malicious functionality.
Analyzing the apps against the OWASP mobile top 10 best practice list, some general and troubling issues emerged for apps on both platforms. These included 92% of apps being vulnerable to reverse engineering, which could be exploited in the creation of imposter apps, 70% not correctly securing sensitive data communication and 57% not properly securing the storage of that sensitive data.
A security expert view
“An interesting outcome from the study is that iOS apps have more of a privacy issue than the Android apps,” says Sean Wright, a security researcher and the OWASP chapter leader in Scotland, “this goes against the image which Apple is trying to build with iOS, and they need to do a better job of vetting apps if they wish to continue to portray this image; especially since the App Store is a closed ecosystem.”
When it comes to the security issues, and the failure to conform to fundamental security best practices such as ensuring they do not contain any of the OWASP top 10 vulnerabilities, Wright says that: “Quite frankly some of the vulnerabilities in these apps are alarming, such as the ability to install unvetted code and files remotely, potentially making the application become a Command & Control app.” That some were also using non-encrypted HTTP connections in 2019 was also a concern for Wright, “it is vital that travel apps do what they can do to protect their user’s information given some of the information which they may harvest from a user such as passport details or payment details,” he says.
Mitigating the travel app risk
As far as mitigation advice is concerned, this falls into two distinct camps: app developer and app user. “For the most part, mobile apps need to tell users when they are utilizing privacy impacting capabilities like location, camera and microphones,” Keating says, adding, “unfortunately, as we’ve seen, this doesn’t always happen.” He advises users to go to the app settings and review these capabilities to limit app permissions to only those deemed as required. As for the app developers, Keating invites them to contact Zimperium to get detailed analysis as well as downloading the OWASP mobile top 10 to understand the recommendations provided. “Developers need to know what the risks are inside their app,” Keating concludes, “and what the best practices are for reducing or eliminating those risks. While they think they are building a good solution that customers want, they may also unintentionally introduce risk.”