Mobile travel apps are among the most popular apps to download for smartphone users – especially those apps that enable them to snag the lowest prices on travel or secure the best possible deals. However, the ease and convenience of using these travel apps to line up great deals and save money comes with a very big price for privacy and security. According to a study conducted by mobile security solutions provider Zimperium, 100% of iOS-based apps and 45% of Android-based apps failed to receive a passing grade for privacy. Moreover, 100% of iOS-based apps and 97% of Android-based apps failed to receive a passing grade for security. In short, just about any travel app you download from the Google Play or Apple Store is not going to meet basic security and privacy standards.
While Zimperium did not disclose the actual names of the travel apps that they reviewed, the company did say that it only selected the “Top 30” apps as ranked by user downloads (in the case of Android-based apps) and by user reviews (in the case of iOS-based apps). Thus, even though all data from the report was anonymized, and all apps simply assigned a pseudonym and number, it’s not too hard to guess which “Top 30” travel apps Zimperium reviewed in terms of meeting security and privacy standards.
Privacy weaknesses in travel apps
First and foremost, the security researchers analyzed the travel apps to see how they performed against industry benchmarks for privacy. Somewhat surprisingly, every single iOS travel app failed the privacy test – despite all the marketing and promotion dollars that Apple has spent on portraying the company as a privacy-first company and the Apple iPhone as the best smartphone on the market for anyone concerned about privacy. There is functionality that Apple should make mandatory if it wants to be known as a privacy-first company that actually cares about the communication of sensitive data or the installation of unvetted code.
As an example of not protecting user privacy, 97% of all iOS-based apps (29 of the 30 travel apps) were able to take screenshots of the full UI of the app, giving app developers and unknown third parties insights into which other apps might be installed on the phone, as well as the user’s preferred way to use an app. Moreover, 73% (22 apps) implement pinpoint location functionality – something that Apple has said should only be available for smart navigation apps. Why would travel apps selling hotel and airfare packages need to know your pinpoint location?
And things were not much better in the case of Android travel apps, the researchers found. For example, 10% of the apps access the call history of a user – and sometimes even contact lists. And 7% of the travel apps used insecure content providers, thereby increasing the likelihood of content providers snooping on your phone activity. It’s easy to see why so many travel apps failed to receive a passing grade.
Security weaknesses in travel apps
If the findings on privacy were poor at best, then the findings on security were even more dismal. All of the iOS travel apps failed the security test, and 97% (29 of 30) of Android travel apps failed as well. In the case of the iOS-based apps, for example, 100% of the apps used an authentication method that could be used by outside attackers to intercept communications sent between the phone and other users. In the case of the Android travel apps, 57% (17 of 30 overall) enabled the injection of Java objects at run time – something that could be used to inject malicious code into the smartphone. And a similar percentage (53%) of Android apps enabled the creation of so-called “imposter apps.” Zimperium, in its study, specifically mentioned the creation of a fake BBC app as an example of such an app.
John Aisien, CEO of Blue Cedar, comments on ways to improve security and privacy standards on mobile: “Enabling the widespread adoption of app-level security controls on mobile is the way that organizations can ensure protection of corporate data wherever it is used. Implementing app-level security in enterprise mobile apps allows companies to prevent security or privacy issues originating in consumer apps from impacting the business.”
“To enable mobile platforms to become a first-class citizen, organizations will need to take a layered approach to app-level security but there just aren’t enough IT development resources available to address this need in mobile,” says Aisien. “Automating the integration of different mobile app security techniques into apps will ensure the robust protection of an enterprise’s data on mobile devices, regardless of the security state of other apps on the mobile device or whether the device is managed by the enterprise.”
The need to pay more attention to security and privacy standards
If there’s one big takeaway from the Zimperium report on how well travel applications play nice with security and privacy standards, it’s that app developers and, indeed, entire app ecosystems have made very little progress with security and privacy issues. In the case of Apple, for example, why have so many travel apps been allowed into the Apple Store when they have so many fundamental problems with privacy and security? App developers need to be doing more to ensure that their apps comply with basic security and privacy standards, and are not enabling an attacker to exploit security vulnerabilities.
For users, the fact that popular travel apps performed so poorly in terms of security and privacy standards should be a real wakeup call to pay more attention to which apps they download, and how they use them. At a minimum, they should be toggling on or off certain settings for the app. For example, if a travel app is asking for access to your camera, microphone or phone call history, that is the type of mobile app functionality that needs to be switched off.
Perhaps most disturbing of all is that these problems with security and privacy standards are found in the most popular travel apps. While Zimperium did not disclose the exact apps being tested, it’s easy to assume that such apps might include Priceline, Kayak or Expedia. All of these apps failed to meet security and privacy standards, and all have them have notable app risks.
Privacy and security risks for the online travel sector
These mobile app risks should raise a lot of concern about the online travel sector as a whole. After all, a number of the biggest names in the travel sector – including Starwood Hotels, British Airways and Air Canada have all been caught up in privacy and security scandals over the past 24 months. British Airways, for example, is facing a €183 million GDPR fine for privacy breaches related to its online e-ticketing system. And Air Canada suffered a major breach of its reservation system, enabling attackers to access user passport information.
Security and privacy risks abound in the world of mobile travel apps. So the next time you’re thinking about getting a great deal or bargain on a travel package using a mobile app, just make sure that you’re taking every precaution possible to protect your personal data and privacy.