The alarming security state of airline mobile apps

Posted by The Pradeo Lab on May 23, 2019

Do you usually install your airline mobile app when traveling? You may think twice before using it for your next vacation.

Our latest study based on the security testing of global top 50 airline mobile applications shed the light on some alarming data privacy concerns. The audit was performed this week by Pradeo Security, an engine designed to reveal mobile apps’ behaviors (data processing) and vulnerabilities. Among the 50 mobile applications tested, had been included the most used ones globally, mainly from North America, Western Europe and Eastern Asia.

 

airline_security_applications_pradeo

 

Personal and financial data sent over the network through non-certified connections

To provide users with the best services, airlines enable their applications with functionalities to scan passports and credit cards, check-in, make mobile payments, consult boarding passes, etc. This study shows that at least 49% of airline applications manipulate users’ location information, gallery, and contact list. Then, a third of them send the personal data in question over the network. Besides, what’s even more surprising is that most of the time, the transmission is performed through non-certified connections, thus highly facilitating data theft. The study reports that airline applications use an average of 14 unsecure connections to servers.

airline-apps-graph-en

 

Code vulnerabilities weakening the apps resistance to common attacks

Short go-to-market processes often lead to code negligence regarding security. In the audited sample, we found an average of 21 vulnerabilities per application, a very high number when put in conjunction with the sensitivity of the information manipulated (passport, credit card…). The 10 code vulnerabilities most detected among the sample are known for greatly exposing applications to denial of service, data leakage and man-in-the-middle attacks.

 

Top 10 vulnerabilities (detailed below):

  1. Broadcast activity 98%
  2. DSQLite 94%
  3. Broadcast receiver 92%
  4. SQLC_password 90%
  5. Implicit intent 88%
  6. Broadcast service 86%
  7. d_JSenabled 78%
  8. d_external storage 66%
  9. d_webviewdebug 47%
  10. HandleSslError 16%

 


 

BROADCAST-ACTIVITY

The vulnerability gives permission to other applications to bypass some security access, to give direct access to potentially sensitive data.

D_SQLITE

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.

BROADCAST-RECEIVER

The vulnerability gives permission to other applications to send malicious intent to the application. Acting on receipt of intent without validating the caller's identity may lead to sensitive data being revealed or to denial of service.

SQLC_PASSWORD

This App uses SQL Cipher. But the secret may be hardcoded.

IMPLICIT-INTENT

A malicious activity or service can intercept an implicit intent and be started instead of the intended activity or service. This could result in the interception of data or in a denial of service.

BROADCAST-SERVICE

The vulnerability gives permission to other applications the power to start or bind the application's service. Using the flaw can lead to sensitive information leakage towards malicious apps or result in denial of service.

D_JSENABLED

Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.

D_EXTSTORAGE

App can read/write to External Storage. Any App can read data written to External Storage.

D_WEBVIEWDEBUG

Remote WebView debugging is enabled.

HANDLESSLERROR

The implementation ignores all SSL certificate validation errors, making the app vulnerable to man-in-the-middle attacks.
 

 

You might also be interested in:

 

Topics: Security Alert, Mobile Application Security