Whether you’re on Instagram, Twitter or TikTok, #travel is one of the most popular hashtags of all time. That’s because travel lets us explore, discover, learn and grow. But what if, by traveling, you expose yourself to cyberthreats? That’s a no-go right? Right. Airline app developers can do something about it. Here’s how.
Airline Travel and Airline Mobile Apps Are On the Rise
Travel is on the rise. Statistics revealed an 83% increase amongst people who traveled in 2021, a significant jump from the beginning of the pandemic in 2020. Approximately 2.6 million downloads were recorded in 2021 for popular airline mobile apps such as United Airlines, American Airlines, and Delta Airlines. With this surge in the use of airline apps, many airlines are beefing up their mobile apps to transform the way we travel.
How Airline Mobile Apps Protect Against Cybersecurity Threats
Airline mobile apps contain an average of 21 vulnerabilities and nearly 98% of apps include bugs that give permission to other apps to bypass security restrictions, potentially exposing sensitive data. According to Busiweek, one of the most common vulnerabilities detected in airline apps is data leakage.
In my research, I found a perfect example of the risk to the airline industry and travelers from an attack on an airline app. A researcher recently pen tested the mobile app of a prominent airline and discovered an easy to exploit API endpoint that exposed personal information of any frequent flier member. Known as an “indirect object reference” vulnerability, the researcher was able to exploit any data referenced or retrieved by the app, including the airline recordLocator, the customer’s last name, and more. This exploit allowed the researcher to use the compromised mileage number to fetch upcoming flights of the real user. Another study performed by CyberRes recently performed a binary vulnerability analysis across publicly available mobile apps from 30 major airlines around the world. The findings computed that every mobile app contained at least 1 vulnerability. Some common recorded threats were SQL Injection, weak signing software, weak crypto, and allowing unsafe SSL connections with expired certificates to extract one’s data.
Although these are pen–tests, the tests highlight the potential of cyber attacks against airline apps and mobile end users. If these tests were attacks, the attacker could have gained access to a user’s flight information, departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight. Scary.
In an actual incident, a huge data breach revealed the names, phone numbers, DOBs, frequent flier membership, credit card, passport, and government ID numbers of about 10 million airline passengers. These invasions are very risky as loyalty accounts can be drained and unknown purchases can be made, also leading to stolen identity which can result in identity theft, account takeovers and more
Travel Industry Cybersecurity Checklist – Top 5 Ways for Airlines to Protect Their Mobile App Users
Make Your Airline App Reverse-Engineering Proof
Reverse engineering is an overlooked root cause of mobile app attacks. Attackers, and security researchers and pen testers, use all kinds of reverse engineering tools and tactics to perform static and dynamic code analysis to figure out how your airline app works. From this information they then create the attack or exploit and use it against your airline app or users. As shown from the example above, once the attacker understands how the app works, crafting the attack to spy or stalk users, steal personal information, create havoc on travel schedules or steal points from airline loyalty programs is fair game. Preventing your airline app from this kind of attack is the bare minimum defense to protect your business and users.
To defend against reverse engineering, it’s common to use anti-debugging tools and code obfuscation. Hackers use various tools to disassemble and decompile apps to access the source code, so obfuscate any Android or iOS apps without SDKs or coding.
Protect The User’s Login Experience
Airline mobile apps are an easy target for hackers due to their reliance on user entering massive amounts of personal information such as credit card and passport numbers, trip booking details, addresses, and more. Did you know that hackers and attackers can get access to all this juicy data without breaking into the app? They can and they do through the use of overlay attacks and keylogging. And, it’s a lot easier than you think. These attacks are often unseen by the user, leaving airline customers vulnerable and unprotected when they enter their log in information into an airline mobile app.
There have been reports of airlines being targeted by this malicious assault. When passengers entered their credit card information into the airline’s website and mobile app, malicious code discreetly retrieved and transferred the information to the hacker as the information was entered.
It’s recommended to protect against overlay attacks and keylogging; And either (1) the shut down the app to protect the app or (2) send notifications to users so that they might contact the airline app provider to achieve other enforcement actions when a threat is detected.
Make Your Apps Resistant to Fake Accounts and Transactions
Airline apps can also expose travelers to identity theft, Account Takeovers (ATOs), fake accounts and fake transactions. For example, airline apps can be weaponized in massive credential stuffing attacks, to perform multiple attempts to enter an individual’s account credentials. Even if the attacker fails to get access, the attack can lock travelers out of their mileage or mobile app account, putting your business at risk.
The standard method to defend against this is to prevent emulators and auto clickers being used with your airline app. Emulators can simulate, model, and mimic mobile application software & hardware behavior, including how apps interact with the mobile operating system and other systems. Auto-clickers, combined with emulators, provide a powerful combination for malicious activity, including creating fake accounts and transactions.
Protect Your Airline Loyalty Points in the Mobile App
Because frequent flier miles are incredibly valuable and can equalize money, securing them from hackers is imperative. There are many advantages to gaining mileage such as a free ticket, food and beverage perks, upgrades and priority check-ins. Think of frequent flier miles as loyalty money in a video game or game tokens in an arcade that let you win prizes. If these loyalty points were to be hacked, erased, or stolen from an account, the user would not be happy.
To prevent manipulation of loyalty points, airline app developers need to employ the same security methods that mobile game makers employ to protect points and other values in mobile games. This means airline app makers need to prevent emulators, including Knox, Memu, Bluestacks and other app players, block Frida and other DBIs, prevent memory injection and other malware. These tools can dynamically instrument your airline app and change or manipulate point values.
Ensure Your App runs only on Safe OS Environments
Hackers jailbreak iOS & root Android devices so they can unlock/control the OS and escalate administrative privileges. Once they control the OS, they usually try to disable security protection. This puts your airline app in a relatively defenseless state, and easy to attack. There are plenty of tools like Frida, unc0Ver, KingoRoot, Magisk, MagiskHide, malware, and cheat engines that make jailbreak or rooting trivial. To ward against these attacks, we recommend that the user/admin be notified of the jailbreak or rooting upon detection and to use Jailbreak Prevention and Root Prevention that will detect if an app is running on a jailbroken device and shut itself down.
We’d love to help stop cybersecurity attacks on your airline app
As the world emerges from the pandemic, travelers are taking to the skies again. When they do, mobile apps are the way they book, check in, track, share, save, store and spend inside their travel journeys. I’d be delighted to assist you with your security project and help any airline achieve its cybersecurity difficulties. Let us show you how to safeguard your mobile app from attackers. Please contact us for a demonstration!
[add_button link=”https://www.appdome.com/request-a-demo/request-a-demo-appdome-home/” text=”Request a Demo”]