As the pandemic comes to an end, the world is ready to travel again with people using booking apps to book their travels. The online travel booking segment is one of the largest in the travel industry. It is estimated to be worth around $1.2 trillion annually, and the online booking market makes up 63% of that, or roughly $756 billion. Statistics show that the travel market is expected to reach $833.52 billion in 2025. Millions of new travelers are booking flights, making hotel reservations, or paying for rideshare services through their mobile apps. However, 72% of these mobile bookings take place within 48 hours of last-minute Google searches that include the words ‘tonight’ and ‘today’. In this blog, we’ll discuss the top 6 attacks on booking apps and how to solve them.
How Mobile Booking Apps Protect Against Security Threats
While mobile has dominated most of the internet, it is still not a very popular online booking tool. Booking app safety is often put on the back burner and exposes booking apps to critical flaws that can expose passwords in plain text, leak account credentials, and expose booking app users to data collection, phishing attacks and even cybercrime. These cyberattacks can also result in millions of dollars in lost revenue for companies. A study was carried out to understand the number of vulnerabilities found across Android and iOS apps for various travel booking apps and it resulted in 30 iOS apps having an authentication method that could be used to override SSL and TLS chain validation. This would allow attackers to intercept the communication of sensitive data between the app and the Internet.
How To Protect Your Mobile Booking App against these Top 6 Attacks
Attack on Personal, Confidential Data
Booking apps use and store sensitive data, including name, password, credential information, current travel plans, upcoming trip information. Unfortunately, hackers and pen testers know where to find this data. They know how to use readily available, open-source tools such as Hopper to reverse engineer the booking app to figure out where in the code important data is stored. A lot of this data is not encrypted by default, which means that anybody that can find the data will be able to read it. This means hackers and pen testers can access critical information such as passwords, credential information, and other sensitive data. A prominent mobile booking service was recently pen-tested, and the password file was found in the source code. In addition, pen testers found a popular booking app employing outdated encryption algorithms, to protect against pen testers hackers from accessing sensitive data, it’s recommended to (1) Obfuscate your iOS and Android apps to prevent hackers and pen testers from using disassemblers and decompilers to access the source code (2) Use data encryption such as AES 256 encryption to secure and protect all data in the App Sandbox and Preferences.
Attack on Booking App Transactions
Booking apps like Booking.com and Trivago make it easy for users to book and pay for hotel, car rental, and other aspects of a trip. Since payment is usually made through a credit card, booking apps are required to comply with PCI DSS to safeguard the transaction and protect against identity theft. The PCI Security Standard is an industry standard that was created to protect businesses from becoming targets of cybercriminals. The standard provides an approach for protecting PIN entry on devices. Using Appdome, PCI compliance can be achieved without coding or SDKs.
Attack on the Connections
Recently, popular booking smartphone apps were found to use the HTTP protocol to send and receive data. But, the HTTP standard lacks encryption, allowing attackers to readily intercept data if they are on the same network or have access to the individual’s data channel. The usage of unencrypted HTTP Protocol in the mobile booking apps can lead to Man in the Middle attacks. Use Appdome to ensure communication between your booking app and the server is secure. Use Appdome to protect Android and iOS app connections with TLS, SSL certificate validation, CA verification, malicious proxy detection, TLS version enforcement, secure certificate pinning.
Protect Booking App Consumers against Overlay Attacks
Tapping your phone screen is second nature to many of us. It is muscle memory. In a tapjacking attack, the attacker hijacks the user’s taps and tricks her into doing something she did not intend. The attacker accomplished this by overlaying one screen on top of another while giving the appearance of a single interface. To safeguard your booking app against these Overlay attacks and prevent hackers from harvesting confidential data in the booking app, such as frequent flier numbers and passwords, credit card information, learn more about how to use Appdome to stop overlay attacks.
Breach of Location Data
The exposure of an individual’s location is a basic but often disregarded threat. In addition to locations and specific dates of where users will be, booking apps will use a user’s location data to find trips or services nearby. As a result, a person’s present, exact location is known and can be used against or endanger the user. Hackers jailbreak and root iOS and Android devices in order to increase admin privileges, enabling them to gain access to location data. To overcome this threat, we recommend your device to have Jailbreak and Root Prevention to detect if your booking app is running on a jailbroken device which can potentially leak your personal data.
Attacks on APIs Booking Apps Use
Booking apps, because they are servicing an entire journey, need to connect with multiple systems. To connect with these systems, booking apps use APIs. These APIs can be vulnerable for several reasons. Unless you embed security, each REST API in your app represents a separate and potentially unique attack vector for hackers. In addition, there aren’t consistent standards for API security. Some APIs may have a key while others may not. Some may use TLS and others don’t. Some may require the developer to store cookies locally, while others don’t. Appdome enables mobile developers or non-developers to protect APIs in Android and iOS mobile apps in minutes, regardless of API vendor or architecture of your app. No API gateway is required. Likewise, no specialized security training or development expertise is needed. It’s recommended to (1) encrypt API data (keys, secrets, tokens, URLs, payload, etc.) (2) Obfuscate app structure, control flow and logic of the API. (3) Shield the API from tampering, debugging and reversing. (4) Protect communication between REST APIs and the backend server – with things like TLS security, CA validation, certificate pinning, etc.
We’d love to help stop these 6 attacks on your booking app
As travel seems to be on the rise again, booking apps are becoming the popular and convenient alternative to desktop reservations. Mobile apps are the top choice to book, check in, track, share, save, store and spend for any travel journey. I would love to assist you with your security project and help any booking apps achieve their cybersecurity difficulties. Let us show you how to safeguard your mobile app from attackers. Please contact us for a demonstration!