As the pandemic comes to an end, the world is ready to travel again with people using booking apps to book their travels. The online travel booking segment is one of the largest in the travel industry. It is estimated to be worth around $1.2 trillion annually, and the online booking market makes up 63% of that, or roughly $756 billion. Statistics show that the travel market is expected to reach $833.52 billion in 2025. Millions of new travelers are booking flights, making hotel reservations, or paying for rideshare services through their mobile apps. However, 72% of these mobile bookings take place within 48 hours of last-minute Google searches that include the words ‘tonight’ and ‘today’. In this blog, we’ll discuss the top 6 attacks on booking apps and how to solve them.
How Mobile Booking Apps Protect Against Cyber Security Threats
Booking app safety is often put on the back burner and exposes booking apps to critical flaws that can expose passwords in plain text, leak account credentials, and expose booking app users to data collection, phishing attacks and even cybercrime. These cyberattacks can also result in millions of dollars in lost revenue for companies. A recent study of top travel booking apps by security researchers from Security Affairs revealed a significant number of critical security issues including weak or missing encryption which exposed sensitive data and PII such as phone numbers, home addresses, credit card & bank account details, session tokens, usernames and passwords and more. Keep reading and we will summarize in detail the top cybersecurity threats faced by travel booking mobile apps.
Travel Industry Cybersecurity Checklist – Top 6 Cyber Attacks on Mobile Booking Apps
Insecure Data Storage & Insufficient Data Encryption
Booking apps use and store sensitive data, including name, password, credential information, current travel plans, upcoming trip information. Unfortunately, hackers and pen testers know where to find this data. They know how to use readily available, open-source tools such as Hopper to reverse engineer the booking app to figure out where in the code important data is stored. A lot of this data is not encrypted by default, which means that anybody that can find the data will be able to read it. This means hackers and pen testers can access critical information such as passwords, credential information, and other sensitive data using multiple techniques such as static and dynamic code analysis, or simply extracting or decompiling apps to access sensitive information stored inside the application strings or other parts of the source code. To prevent this, it’s recommended to (1) Obfuscate your iOS and Android apps to prevent hackers and pen testers from using disassemblers and decompilers to access the source code (2) Use data encryption such as AES 256 encryption to secure and protect all data in the App Sandbox, preferences, strings and other parts of the code.
Cyber Attacks on Booking App Transactions
Booking apps like Booking.com and Trivago make it easy for users to book and pay for hotel, car rental, and other aspects of a trip. Attackers can compromise apps to steal or harvest data used mobile app transactions or even falsify mobile transaction data using malware, overlay attacks, key injection, method hooking and many other dynamic attack techniques. In addition, since payment is usually made through a credit card, booking apps are required to comply with PCI DSS to safeguard the transaction and protect against identity theft. The PCI Security Standard is an industry-standard that was created to protect businesses from becoming targets of cybercriminals. The standard provides an approach for protecting PIN entry on devices. Using Appdome, PCI compliance can be achieved without coding or SDKs.
Insecure Connections & MitM Attacks
Recently, popular booking smartphone apps were found to use the HTTP protocol to send and receive data. But, the HTTP standard lacks encryption, allowing attackers to readily intercept data if they are on the same network or have access to the individual’s data channel. The usage of unencrypted HTTP Protocol in mobile booking apps can lead to Man in the Middle attacks. Use Appdome to ensure communication between your booking app and its backend servers is secure. Use Appdome to protect Android and iOS app connections with TLS, SSL certificate validation, CA verification, malicious proxy detection, TLS version enforcement, secure certificate pinning.
Protect Booking App Consumers against Overlay Attacks
Tapping your phone screen is second nature to many of us. It is muscle memory. In a tapjacking attack, the attacker hijacks the user’s taps and tricks her into doing something she did not intend. The attacker accomplished this by overlaying one screen on top of another while giving the appearance of a single interface. To safeguard your booking app against these Overlay attacks and prevent hackers from harvesting confidential data in the booking app, such as frequent flier numbers and passwords, credit card information, learn more about how to use Appdome to stop overlay attacks.
Breach of Location Data
The exposure of an individual’s location is a basic but often disregarded threat. In addition to locations and specific dates of where users will be, booking apps will use a user’s location data to find trips or services nearby. As a result, a person’s present, exact location may be known and can be used against or endanger the user. Hackers jailbreak and root iOS and Android devices in order to increase admin privileges, enabling them to gain access to location data. To overcome this threat, we recommend your device to have Jailbreak and Root Prevention to detect if your booking app is running on a jailbroken device which can potentially leak your personal data.
Compromising Insecure APIs
Booking apps, because they are servicing an entire journey, need to connect with multiple systems. To connect with these systems, booking apps use APIs. These APIs can be vulnerable for several reasons. Unless you embed security, each REST API in your app represents a separate and potentially unique attack vector for hackers. In addition, there aren’t consistent standards for API security. Some APIs may have a key while others may not. Some may use TLS and others don’t. Some may require the developer to store cookies locally, while others don’t. Appdome enables mobile developers or non-developers to protect APIs in Android and iOS mobile apps in minutes, regardless of API vendor or architecture of your app. No API gateway is required. Likewise, no specialized security training or development expertise is needed. It’s recommended to (1) encrypt API data (keys, secrets, tokens, URLs, payload, etc.) (2) Obfuscate app structure, control flow and logic of the API. (3) Protect the API agasint tampering, debugging, and reversing. (4) Protect communication between REST APIs and the backend server – with things like TLS security, CA validation, certificate pinning, etc.
Prevent Cyberattacks and Threats on your booking app
As travel seems to be on the rise again, booking apps are becoming the popular and convenient alternative to desktop reservations. Mobile apps are the top choice to book, check-in, track, share, save, store and spend for any travel journey. I would love to assist you with your security project and help any booking apps achieve their cybersecurity difficulties. Let us show you how to safeguard your mobile app from attackers. Please contact us for a demonstration!