In air-travel, safety comes first. It is unequivocally the key priority of any airline. Be it passenger safety, safe routes, the safety of their aircraft and crews, airlines are in the forefront to guarantee safety at any level. So the striking vulnerability of their apps may come as a surprise, even to those working in the industry. The latest app security scan of some top-tier airlines by APP-RAY showcases significant flow in apps used by millions of passengers on a daily basis.

Airline apps are nowadays the primary interface between an airline and its customers. They help to find the best and cheapest connections, manage tickets and boarding passes, and allow access to premium services for high-value customers.

An airline check-in vulnerability is impacting multiple airlines. This can be a simple one flaw because some of the airlines have been emailing unencrypted check-in links to passengers. Since the links are unencrypted, they could be intercepted or reused by an unauthorized third party to change the details for a reservation and gain access to user information.

APP-RAY Researchers observed unencrypted network traffic going to airline servers that were consistent with sensitive content. Upon further investigation, researchers found that this data—suspicious parameters on a URL string—was being used to authenticate the user into the e-ticketing website transparently.

Major flows in airline apps

The biggest problems include a lack of encryption for app data, insufficient protection against man-in-the-middle attacks, and leftover administration or debugging code. While smartphones may have built-in full disk encryption, they do not protect your data when you use your phone or tablet. While the device is running, the data can be stolen by other malicious apps – or by someone grabbing the device from your hand.

A severe vulnerability could have been exploited to access customer information and manage flight reservations. These types of vulnerabilities, known as insecure direct object references (IDOR), can be easily exploited by an attacker by merely changing the value of a parameter in the request sent by the app to the server. The flight booking page contains information such as the departure and arrival of the flight, as well as payment information, including the form of payment and the last four digits of your credit card number.

IDOR flows are not uncommon and are occasionally included in the Top 10 Open Web Application Security Project Vulnerabilities for the Worst Web Applications. “Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to point to an object directly.” according to OWASP.

Available resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks. Due to a lack of authentication required for access to the resource as well as a lack of brute force protection, it was possible to automate an attack to enumerate supported airlines.

Priority check-in: App-Ray scrutiny reveals major flows in airline apps
Photo by JESHOOTS.COM on Unsplash

A Europen mobile app security testing firm APP-RAY looked at ten different top airline apps and found various levels of security. While some apps adhere to security best practices and did not contain any apparent vulnerabilities, other apps expose a much higher threat surface:

  • All airline apps include third party components for user tracking, advertisement, and security services. This is a standard approach and not necessarily a problem. However, these libraries do not always live up to high-security standards: some use unencrypted and unauthorized API endpoints or load executable code over an unprotected connection. Further, one app included references to pre-production test APIs, including client secrets, which allows an attacker to explore the API interfaces in detail.
  • Further, all airline apps use WebView to include web content into the app – this is also a standard technique. However, it may turn into a threat if it is not ensured that the WebView is loaded exclusively over HTTPS. In that case, the web page sent by the server is not necessarily the one that is loaded into the app’s web view. This turns into a severe problem if the WebView is giving the privilege to access local files and to execute JavaScript. In that case, an attacker can inject malicious JavaScript that may read and write local files with the rights of the airline app.
  • Another problem is unrestricted broadcast receivers. One of the assessed apps provides a service to update the passenger profile, including preferences on meals, seats, etc. These services receive its instructions via an Intent (a message for communication between components of Android apps), which is sent by another component of the app. However, as this Intent does not require any permissions, other apps may create a respective Intent, send it to the airline app, and thereby modify the passenger profile.
  • The app serves as a communication channel between the airline and allows pushing notifications about flight delays, cancelations, or gate changes. “An attacker who can spoof such notifications can prevent a large number of passengers from getting their flight connection and create serious financial damage to the airline.” – commented Zsolt Nemeth, founder, and CEO of APP-RAY.

Finally, there are a few ways to securely store valuable data on Android phones, using hardware-based cryptography, the built-in “Secure Element” (a cryptographic co-processor) and biometrics or secure PINs to unlock the keystore. None of the assessed apps use these techniques to the fullest extent to protect boarding passes or tickets. Thus, especially on rooted phones, stored boarding passes are not adequately protected.

The situation seems dire, however, with easy-to-adopt automated security testing technologies, such as App-Ray, a fast and cost-effective solution can be added integrated to the CD / CI process to eliminate this severe issue. App-Ray is at the forefront to help clients release more secure and fully compliant apps.

The names of these major airline apps and online booking systems have not been published in order to protect their business reputation; instead, APP-RAY researchers contacted developers and airlines directly.

Established in 2015, Vienna-based company, APP-RAY, is the leading provider of automated mobile application security scanning, providing a fully automated security analysis of mobile applications to find security issues, privacy breaches, and data leak potentials. APP-RAY augments existing mobile security solutions to classify and provide deep insights on application behavior.

Press contact: Zsolt Nemeth, Founder and CEO ([email protected])  

For more information on APP-RAY and free demo: https://app-ray.co/get-started/