As the world anticipates the end of the pandemic and the U.S. opens its borders to international visitors, millions of new travelers are booking flights, making hotel reservations or paying for rideshare services through a mobile app. In the first half of 2021, the number of travel app installations grew more than 35%, setting up what could be the busiest travel season since 2019.
Unfortunately many of the mobile travel applications available on the Apple App Store and Google Play store put users at risk. Long after the holidays are over, many travelers may find their credit card information or account credentials have been leaked or bad guys may be tracking them due to insecure mobile apps. At worst, some may lose control of their mobile apps or devices to malicious actors. The recent breach in the ParkMobile app and the large scale breach at BritishAirways should have all users on guard.
Analysis by mobile application security company NowSecure of 118 popular travel apps and 48 popular airline apps finds most of the apps we use to manage and enjoy travel fail some basic privacy and security standards. Critical flaws in some of the world’s most popular travel apps expose passwords in plaintext, leak account credentials and expose mobile users to data collection, phishing attacks and even cybercrime.
NowSecure analysis includes mobile apps available on the Apple App Store and Google Play store as of Nov. 1, 2021. Because developers often release new code sometimes daily or weekly, these values may change quickly; however two weeks after initial review, assessments did not change. The popular travel category includes mobile apps for hotels, car rentals, ground transportation and other bookings. Mobile airline applications are included separately.
Similar to grades in school, NowSecure scored mobile apps on a scale of 0-100 and assigned a pass or fail letter grade from A (100-90), B (89-80), C (79-70), D (69-60) or F (59 or less). Mobile apps that scored an A or B represent high-quality, low-risk apps and are considered the most secure and have been verified in testing such as to protect credentials, encrypt personal information and online transactions, and properly use mobile device permissions. The mobile apps that scored a C (79-70) have medium risks and should be used with caution and monitored for strange activity or scores changing with updates. Mobile apps in the C range may leak sensitive information or have excessive permissions that are unnecessary, such as a flashlight app that gains permissions to access a contact address book, GPS data or a camera. Any application that scored a D or F (69 or less) represents a high risk and should not be used until security bugs are fixed by their developers. Failing apps have known software flaws that developers of these mobile apps should be aware of and address immediately, such as leaking unencrypted user ID or password or other personal account info over a network or being open to man-in-the-middle attacks or data harvesting.
How Did They Score?
Unfortunately, most travel apps we assessed failed to fully protect user security and privacy. A remarkable 65 apps (55%) scored a D or an F in security and privacy, meaning they contained at least two high-risk vulnerabilities that leak sensitive data or leave users vulnerable to network attacks. Of the 54 apps that outright failed, all contained a critical flaw that allows attackers to collect or modify data through insecure Internet connections. On the bright side, of the travel apps we assessed, 53 (45%) passed with a C or better. A total of 15 apps (13%) scored and B and no apps achieved an A. Issues in the C or better grades may include medium-risk vulnerabilities that can be addressed over time, but still pose security risks. Airline apps fared slightly better. Of the 48 apps in our review, 20 (42%) failed basic security and privacy tests. On the bright side, 28 (58%) passed with a C or better. Since many of these apps manage payments and travel points, there appear to be better efforts at securing data. Still, vulnerabilities exist in a substantial number of these applications.
How Secure Are Travel Apps?
Not nearly as secure as they should be. Every app in the analysis contains at least one security flaw that could potentially harm users. Almost 40% of travel apps and 35% of airline apps have flaws that allow an attacker to take control over the app or even the device itself. Mobile application risks reside deep in the code itself. Outdated or infected software components used by developers, misconfigured network connections, and improper permissions within the mobile app code make it easier for hackers to collect massive amounts of data or takeover unsuspecting user accounts. The rapid speed of mobile app development combined with lack of sufficient security and privacy testing enable these security and privacy issues to escape into the wild. Many of the mobile applications NowSecure reviewed failed to meet even minimum industry standards for security and privacy established by the recognized world standard of the Open Web Application Security Project (OWASP) Mobile Security Project. One common flaw occurred in data storage on the device.. All of the mobile travel apps we reviewed contain critical insecure storage issues, such as exposing passwords in plaintext. GPS location, personal address information and biometrics, while other sensitive data can be exposed through the keyboard’s data cache where some fun-looking 3rd party keyboards can harvest that information.
Virtually all of the travel and airline apps NowSecure analyzed contain poorly-coded network connections. For example, a common flaw in many of the apps we analyzed exposes network traffic to interception and modification. A number of these high-risk apps on Android inadvertently create a dangerous man-in-the-middle backdoor, giving hackers an easier way to steal data from millions of mobile users or be used as a phishing vector.