Hackers Ride Along On Travel Apps, Says Bluebox Security

Travel apps make it so easy to book holiday flights and hotels with our mobile devices in a few spare moments on the couch or in a cafe. But San Francisco-based Bluebox Security says these apps are also making it much too easy for hackers to steal our credit card numbers, passwords, travel plans, and home addresses.

Bluebox says it found widespread security gaps in a recent study of 20 of the most-used travel apps—ten Android apps and ten iOS apps. (It doesn’t identify them by name.)

In all but one of the apps, the cybersecurity company found a common lack of effective encryption of the personal data stored in mobile devices by the apps. Other security gaps made the code inside the apps vulnerable to tampering that could allow hackers to tunnel further into other information stored on the device—or even into the networks of a user’s employer.

Be aware that Bluebox, founded in 2012, has an interest in publicizing any defects and dangers among apps that may lack enough hacker defenses. The company specializes in helping mobile app developers, as well as businesses that develop their own internal apps for employees, to build security safeguards into their programs. Bluebox has raised a total of $27.5 million from investors including Andreessen Horowitz, Tenaya Capital, SV Angel, and other individuals.

As part of its business mission, Bluebox decided to study a single category of free apps to get a sense of the prevailing sophistication level of security precautions installed in these popular consumer tools, says Andrew Blaich, (pictured above) a lead security analyst at Bluebox.

Bluebox picked the travel category because users share a cornucopia of personal information with apps as they schedule flights, ridesharing trips, accommodations, and other parts of a journey. The data can include travel dates, home addresses, and phone numbers, in addition to credit card numbers.

The company looked at more than a dozen security factors and found “critical flaws” in all 20 travel apps. But Bluebox’s intent was not to flag the travel app sector as a particularly lax group when it comes to incomplete security safeguards, Blaich says.

“These definitely exist in other sectors and app categories as well,” Blaich says.

Bluebox didn’t want to name the particular apps it studied, but it shared its method for choosing them. Bluebox took its selections from two App Annie charts sampled in 2015: “iOS Top App Charts” and “Google Play Top App Charts.” The apps studied wouldn’t necessarily be among the top 10 listed on each of those charts today. Bluebox tried to pick matched pairs of similar apps, one from the Android list, one from the iOS list.

Each app studied was downloaded directly from certified Android or iOS app stores, rather than from e-mails, websites, or third-party app stores. That’s a precaution Bluebox recommends to consumers as well. Even though the official versions of these apps are vulnerable to hackers—as Bluebox discovered in its study—it’s more likely that they haven’t yet been corrupted, Blaich says.

Consumers should also keep both their apps and their device operating systems upgraded to the latest versions, Blaich says. Those upgrades often contain security fixes for the most recent hacker invasion strategies, he says.

App developers need to be aware that they may be creating hacker opportunities when they build some of their app’s functions by incorporating sections of code they obtain from third-party libraries on the Internet. These programming building blocks may carry with them vulnerabilities unknown to the app developer, Bluebox says.

In its Travel App Security Study released today, Bluebox found that an average of 70 percent of the code came from outside sources rather than in-house programmers. Blaich says app developers often concentrate their own programming efforts on the unique functions they want to offer to consumers.

“A lot of people aren’t security experts; they focus on the user experience,” Blaich says. “Security sometimes takes a back seat.”

Trending on Xconomy