The most-used mobile travel apps can be modified and manipulated to perform in ways that the developers had not intended, exposing millions of users to several security risks including data theft, according to research by Bluebox.
As market data from App Annie show, the top 10 travel&local apps in Google Play Top App Charts are Waze, Yelp, Google Earth, GasBuddy, Expedia Hotels, GPS Navigation Be-On-Road, TripAdvisor, Foursquare and Scout GPS, while iOS users also prefer Uber, Yelp, Lyft and Airbnb.
Only one out of the 10 Android apps and none of the iOS apps encrypted data at rest on the mobile device, while only two of the Android apps and one of the 10 iOS apps employed certificate pinning, a key method for securing app data in transit, researchers found.
None of the apps for Android or iOS had anti-tamper or anti-debugging controls, creating a significant risk of attackers manipulating the app or creating malicious versions of it (similar to the exploits used in Masque iOS attacks).
The white paper shows that four of the Android apps and six of the iOS apps contained code that could enable debug or admin functionality not intended for a normal user to access, but which grants special privileges to the end-user if enabled. All the travel apps for Android and iOS contained insufficient device integrity (jailbreak/root detection) protections. On average, only 30% of code for the apps was created in-house. The remaining 70% was made up of third-party components and libraries that may introduce vulnerabilities unknown to the developer, creating a huge potential attack surface.
Here are some tips that enterprise security teams can use to increase the security of their apps:
- Remove unnecessary code that could reveal key vulnerabilities and exploits
- Implement controls for anti-tampering and anti-debugging to prevent app manipulation
- Implement data encryption for all app data written to the user device
- Consider adding “self-defending” capabilities to mobile apps that will allow applications to detect and protect against threats on their own
- Make security part of the development process from the beginning
In general, very few mobile apps are built with code written exclusively in-house by the app vendor, the study shows. Developers rely on third-party libraries placed into their apps to make tasks like advanced user interface, data storage, and networking easier and to speed up time to market. On average in the apps examined, the split between in-house and third party code was 30% / 70%.
Security specialists recommend users always use the Android or iOS app stores and avoid downloads from websites, emails or third-party app stores. Using up-to-date versions for the app and the OS is also required. Finally, consumers and employees should be cautious about using free un-secured wireless networks and disable any certificate authorities they don’t trust.