Study Finds Airline Apps Riddled With Security Bugs

The mobile apps distributed to customers by major airlines are typically riddled with security vulnerabilities, a review has found.

The bugs are all the more concerning since the apps in question typically handle sensitive information including passport and payment card details.

The audit by Montpellier-based mobile security firm Pradeo looked at the top 50 most used airline apps worldwide, primarily from North America, Western Europe and Eastern Asia.

The company said the data privacy issues exposed by the audit were “alarming”.

Sensitive data

It found that nearly half, or 49 percent, of the applications make use of a device’s location details, image gallery and contacts list.

One-third send the personal details thus obtained over the network, with transmissions occurring in most cases over uncertified connections.

The apps use an average of 14 unsecured connections to servers, thus exposing data to the risk of theft, Pradeo found.

The study also found an average of 21 security vulnerabilities per application, which Pradeo said could be due to pressure to get apps to market quickly.

The figure was “a very high number when put in conjunction with the sensitivity of the information manipulated”, Pradeo said in an advisory.

The 10 vulnerabilities most commonly detected in the sample create the risk of denial-of-service attacks, data leakage and man-in-the-middle attacks, Pradeo said.

Hacking risk

Nearly all the apps, some 98 percent, included a bug that gives permission for other apps to bypass some security restrictions, potentially giving them access to sensitive data, according to the firm.

It said other weaknesses could allow SQL injection attacks, denail of service or the interception of data.

British Airways and Cathay Pacific are amongst the airlines that have uncovered hacks affecting customers’ personal data in recent months.

Last September British Airways found a hack of its website and mobile app had exposed the data of thousands of customers during the peak August travel season.

In October, while investigating the first attack, the airline uncovered the theft of an additional 185,000 users’ payment details.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Confronts Break-Up Threat From US DoJ

US Department of Justice mulls asking judge to force Google to sell parts of its…

2 hours ago

US Supreme Court Rejects X’s Trump Appeal

US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…

1 day ago

US Judge Orders Google To Allow Android App Store Competition

US federal judge orders Google to undertake wide range of measures allowing third-party app stores…

1 day ago

Ukraine Hackers Disrupt Russian Broadcaster On Putin’s Birthday

Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…

1 day ago

Amazon Antitrust Case Gets Go-Ahead In US Court

US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…

1 day ago