We use cookies to ensure that we provide the best user experience on our website. By using TravelWires.com, you agree to our use of cookies.

Top travel apps fail the privacy and security test

News

The results of a newly published study of some of the world's most popular travel apps, on both Android and iOS platforms, make for grim reading if you like your privacy and security as much as you do an excellent money-saving travel deal.

The results of a newly published study of some of the world's most popular travel apps, on both Android and iOS platforms, make for grim reading if you like your privacy and security as much as you do an excellent money-saving travel deal. Researchers from mobile security solutions provider Zimperium tested 30 "best deal" travel applications, covering flights, hotels, car rental and the like, to better understand how they manage users' privacy and security risk. The apps, chosen based on Google Play download counts and number of positive iOS reviews, failed miserably. How miserably exactly?

The research reveals that 100% of the iOS apps failed to receive a passing privacy or security grade. The Android apps tested did better, with only 45% failing to pass the privacy tests, but 97% still failed on security.

Which travel apps are putting users at risk?

The names of the travel apps themselves have not been released; instead the app providers have been anonymized and were assigned a pseudonym and number by the researchers. I asked J.T. Keating, vice-president of product strategy at Zimperium, why the travel apps tested had not been named, which would enable users to uninstall them. "Under the principle of responsible disclosure," Keating says, "Zimperium would like to provide app providers with the ability to fix the security and privacy risks before disclosing them publicly." Keating says that if the apps were identified along with the specific risks found, then it would "enable hackers to quickly attack or leverage the app to compromise devices or steal data." What Keating did tell me, however, is that the 30 apps were chosen based upon the number of downloads and positive reviews and are of the "find the lowest price, best deals for flights, hotels, etc. variety." Apps from individual airlines, hotels, car rental firms were not tested. The total number of downloads for Android apps alone, as Google Play reveals these statistics whereas the Apple App Store doesn't, was 478 million.

How were the travel apps tested?

The apps were awarded scores calculated using Zimperium’s z3A advanced application analysis engine across three primary categories of analysis: the Open Web Application Security Project (OWASP) mobile top 10 application development best practices, and more granular privacy and security risk data. For privacy, this included the app’s access to private user data, unique device identifiers, SMS, communications and unsecured data storage. The security risk analysis included functionality and code usage, application capabilities and critical vulnerabilities. Each app was then rated on a scale of zero to 100; the higher the rating, the higher the risk. To pass the testing regime, an app needed to demonstrate that it had very few risks and did a better than average job of protecting user data. If an app showed significant risks with a below-average job of protecting user data, it failed. Those apps that had risks that needed addressing but fared averagely when it came to protecting data were given an intermediate “average” rating.

A security expert view

“An interesting outcome from the study is that iOS apps have more of a privacy issue than the Android apps. This goes against the image which Apple is trying to build with iOS, and they need to do a better job of vetting apps if they wish to continue to portray this image; especially since the App Store is a closed ecosystem.” says Sean Wright, a security researcher and the OWASP chapter leader in Scotland,

When it comes to the security issues, and the failure to conform to fundamental security best practices such as ensuring they do not contain any of the OWASP top 10 vulnerabilities, Wright says that:

"Quite frankly some of the vulnerabilities in these apps are alarming, such as the ability to install unvetted code and files remotely, potentially making the application become a Command & Control app.” That some were also using non-encrypted HTTP connections in 2019 was also a concern for Wright, “it is vital that travel apps do what they can do to protect their user's information given some of the information which they may harvest from a user such as passport details or payment details,” he says.

Achieving excellence in connecting travel and business

TravelWires delivers immediate press release distribution services and travel industry news exposure to a global on-line audience network. Featuring special events and destinations, our website covers updates on the tourism sector news, consumer information, as well as releases about company performance and latest products on the market.

Submit Press Release