Zimperium is releasing a new piece of research today which investigates 30 of the world’s leading travel applications to understand how they manage users’ security and privacy risks.
The data is based on the most downloaded travel applications on iOS and Android, and as part of the study, mobile security researchers from Zimperium’s zLabs team assigned each application a grade:
- Passing: The app has very few risks and does an above average job of protecting user data.
- Average: The app has risks that need to be addressed and does an average job of protecting user data.
- Failing: The app has significant risks and does a below average job of protecting user data.
The full study can be found here, however key findings revealed:
- 100% of iOS-based apps and 45% of Android-based apps failed to receive a passing privacy grade.
- 100% of iOS-based apps and 97% of Android-based apps failed to receive a passing security grade.
Privacy Risk Key Findings:
iOS:
- 97% (29 apps) can take screenshots of the full User Interface, enabling an attacker to understand everything from installed apps to credentials.
- 73% (22 apps) implement pin-point location functionality that Apple only allows in navigation apps.
- 17% (5 apps) attempt to access contacts from Address Book, exposing these records to theft and abuse.
Android:
- 10% (3 apps) access phone call history. There is no reason for a travel app to need this information and it can expose it to an attacker.
- 7% (2 apps) use an insecure content provider; this allows other applications (e.g., a malicious app) on the device to potentially steal data from these travel apps.
Security Risk Key Findings:
iOS:
- 100% (30 apps) have an authentication method that can be used to override SSL and TLS chain validation. This can allow attackers to intercept the communication of sensitive data between the app and the Internet.
- 7% (2 apps) implement an over-the air app installation method which circumvents Apple’s review process and can enable the installation of unvetted and potentially malicious functionality.
Android:
- 57% (17 apps) enables the injection of Java objects at runtime, which an attacker can leverage to inject malicious code as well.
- 57% (17 apps) enable WebView to execute JavaScript code. This could potentially allow an attacker to introduce arbitrary JavaScript code to perform malicious actions or exploitation. This is a common attack vector that has been exploited by many zero-day vulnerabilities (e.g., Pegasus, Stagefright).
- 53% (16 apps) have functionality that can allow attackers to more easily create imposter apps that users unknowingly download (e.g., the fake BBC app Zimperium detected).
- 20% (6 apps) enable the installation of unvetted and potentially malicious apps, code and files from remote locations.
