The mobile apps distributed to customers by major airlines are typically riddled with security vulnerabilities, a review has found.
The bugs are all the more concerning since the apps in question typically handle sensitive information including passport and payment card details.
The audit by Montpellier-based mobile security firm Pradeo looked at the top 50 most used airline apps worldwide, primarily from North America, Western Europe and Eastern Asia.
The company said the data privacy issues exposed by the audit were “alarming”.
It found that nearly half, or 49 percent, of the applications make use of a device’s location details, image gallery and contacts list.
One-third send the personal details thus obtained over the network, with transmissions occurring in most cases over uncertified connections.
The apps use an average of 14 unsecured connections to servers, thus exposing data to the risk of theft, Pradeo found.
The study also found an average of 21 security vulnerabilities per application, which Pradeo said could be due to pressure to get apps to market quickly.
The figure was “a very high number when put in conjunction with the sensitivity of the information manipulated”, Pradeo said in an advisory.
The 10 vulnerabilities most commonly detected in the sample create the risk of denial-of-service attacks, data leakage and man-in-the-middle attacks, Pradeo said.
Nearly all the apps, some 98 percent, included a bug that gives permission for other apps to bypass some security restrictions, potentially giving them access to sensitive data, according to the firm.
It said other weaknesses could allow SQL injection attacks, denail of service or the interception of data.
British Airways and Cathay Pacific are amongst the airlines that have uncovered hacks affecting customers’ personal data in recent months.
Last September British Airways found a hack of its website and mobile app had exposed the data of thousands of customers during the peak August travel season.
In October, while investigating the first attack, the airline uncovered the theft of an additional 185,000 users’ payment details.
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…