The mobile apps distributed to customers by major airlines are typically riddled with security vulnerabilities, a review has found.
The bugs are all the more concerning since the apps in question typically handle sensitive information including passport and payment card details.
The audit by Montpellier-based mobile security firm Pradeo looked at the top 50 most used airline apps worldwide, primarily from North America, Western Europe and Eastern Asia.
The company said the data privacy issues exposed by the audit were “alarming”.
It found that nearly half, or 49 percent, of the applications make use of a device’s location details, image gallery and contacts list.
One-third send the personal details thus obtained over the network, with transmissions occurring in most cases over uncertified connections.
The apps use an average of 14 unsecured connections to servers, thus exposing data to the risk of theft, Pradeo found.
The study also found an average of 21 security vulnerabilities per application, which Pradeo said could be due to pressure to get apps to market quickly.
The figure was “a very high number when put in conjunction with the sensitivity of the information manipulated”, Pradeo said in an advisory.
The 10 vulnerabilities most commonly detected in the sample create the risk of denial-of-service attacks, data leakage and man-in-the-middle attacks, Pradeo said.
Nearly all the apps, some 98 percent, included a bug that gives permission for other apps to bypass some security restrictions, potentially giving them access to sensitive data, according to the firm.
It said other weaknesses could allow SQL injection attacks, denail of service or the interception of data.
British Airways and Cathay Pacific are amongst the airlines that have uncovered hacks affecting customers’ personal data in recent months.
Last September British Airways found a hack of its website and mobile app had exposed the data of thousands of customers during the peak August travel season.
In October, while investigating the first attack, the airline uncovered the theft of an additional 185,000 users’ payment details.
Supreme Court clears X to resume access in Brazil, after high profile clash between top…
US Department of Justice mulls asking judge to force Google to sell parts of its…
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…
Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…
US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…