Study Finds Airline Apps Riddled With Security Bugs

The mobile apps distributed to customers by major airlines are typically riddled with security vulnerabilities, a review has found.

The bugs are all the more concerning since the apps in question typically handle sensitive information including passport and payment card details.

The audit by Montpellier-based mobile security firm Pradeo looked at the top 50 most used airline apps worldwide, primarily from North America, Western Europe and Eastern Asia.

The company said the data privacy issues exposed by the audit were “alarming”.

Sensitive data

It found that nearly half, or 49 percent, of the applications make use of a device’s location details, image gallery and contacts list.

One-third send the personal details thus obtained over the network, with transmissions occurring in most cases over uncertified connections.

The apps use an average of 14 unsecured connections to servers, thus exposing data to the risk of theft, Pradeo found.

The study also found an average of 21 security vulnerabilities per application, which Pradeo said could be due to pressure to get apps to market quickly.

The figure was “a very high number when put in conjunction with the sensitivity of the information manipulated”, Pradeo said in an advisory.

The 10 vulnerabilities most commonly detected in the sample create the risk of denial-of-service attacks, data leakage and man-in-the-middle attacks, Pradeo said.

Hacking risk

Nearly all the apps, some 98 percent, included a bug that gives permission for other apps to bypass some security restrictions, potentially giving them access to sensitive data, according to the firm.

It said other weaknesses could allow SQL injection attacks, denail of service or the interception of data.

British Airways and Cathay Pacific are amongst the airlines that have uncovered hacks affecting customers’ personal data in recent months.

Last September British Airways found a hack of its website and mobile app had exposed the data of thousands of customers during the peak August travel season.

In October, while investigating the first attack, the airline uncovered the theft of an additional 185,000 users’ payment details.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

1 day ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

1 day ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

1 day ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

1 day ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

1 day ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago