Bluebox Security Reveals Inadequate Security in Today's Most Popular Travel Apps

SAN FRANCISCO, CA--(Marketwired - Sep 15, 2015) - Bluebox Security®, the mobile app security and analytics company first to pioneer self-defending apps for consumers, BYOD employees and the extended enterprise, today released findings from its 2015 Travel App Security Study that highlight the deficient security stance of the top 10 most popular mobile apps for travel in both Android and iOS devices ^[1]. Bluebox's comprehensive research of more than a dozen security parameters revealed critical flaws present in all of the apps examined.

Travel apps, and consumer-facing apps in general, have changed significantly in recent years to make life easier for the consumer, with frequent updates to enhance usability and features. But in too many cases rapid advancements in these apps have completely overlooked security, increasingly creating numerous points of entry for attackers to access sensitive data.

Top Travel App Security Risks
The results of the Bluebox study show that the defensive measures in these popular travel apps remain in their infancy with an apparent need to reassess these safeguards. The Bluebox analysis uncovered many alarming discoveries including:

• Lack of Data Security-- Only one in ten Android apps and none of the ten iOS apps examined encrypted data stored on mobile devices, leaving sensitive data easily obtainable by attackers. Additionally, only two of the ten Android apps and one of the ten iOS apps employed certificate pinning -- a key capability for securing app data in transit and preventing "man in the middle" attacks.
• Potential for App Manipulation-- Four of ten Android apps and six of ten iOS apps contained code that could enable admin functionality not intended for a normal user to access, and would grant special privileges for the end-user if enabled. Moreover, none of the apps incorporated anti-tampering measures. In both cases, attackers could activate restricted functionality and take full control of apps to alter them for their own gain or launch attacks on other apps.
• Potential Blind Spots-- On average, the app vendor created only 30 percent of the app code, while the remaining 70 percent of code was made up of third-party components. As OpenSSL bugs like Heartbleed demonstrated, third party libraries present a huge potential attack surface and security blind spots for developers.

"All of the apps we reviewed could be modified and changed to act in ways other than what the developers intended, putting sensitive information at risk regardless of device," said Andrew Blaich, lead security analyst at Bluebox Security. "Data must be protected at the application level and security should be integrated into the development process. Without it, users -- enterprise employees and consumers alike -- could suffer damaging loss of important and personal information."

Bluebox Security safeguards data, at rest or in transit, within mobile apps. Organizations utilize Bluebox to transform any mobile app into a self-defending app with enterprise grade security to protect app data, and to defend against and respond to emerging mobile attacks. Spanning third party, internal and consumer apps built for and by the enterprise, Bluebox works directly with vendors and developers to secure the apps critical to enabling today's mobile-centric engagements.

Advice to Enterprise Security Teams
Bluebox Security offers recommended best practices for enterprise security teams that can be applied to any mobile app developed by an organization, and can help prevent the security issues discovered in the Travel App Security Study.

• Implement data encryption for all app data
• Remove any code that isn't necessary to the operation of the app
• Add "self-defending" capabilities to mobile apps to protect app data and defend against and respond to emerging mobile attacks
• Make security part of the development and update process from the beginning

Advice to Employees
With bring your own device (BYOD) becoming a standard for organizations of all kinds, employees who download apps as consumers must also realize these apps can become an attack vector to the enterprise once they connect their mobile devices to the workplace ecosystem. With this in mind, employees should be aware of the source of their apps, confirming they come from certified Android or iOS app stores. They should also ensure they are using the latest available version of the app and OS in order to be covered by the most current security measures. Finally, employees should be cautious about using free un-secured wireless networks and should disable any certificate authorities they don't trust. ^[4]

To access the full whitepaper and detailed findings on the 2015 Travel App Security Study, please visit http://offers.bluebox.com/resource-top-travel-apps.html.

Notes
[1] Based on App Annie "iOS Top App Charts" and "Google Play Top App Charts" in 2015
[2] http://www.scmagazine.com/critical-remote-code-execution-vulnerabilities-in-stagefright-exploitable-on-95-percent-of-android-devices/article/428786/
[3] https://bluebox.com/blog/business/masque-attack-targets-ios-apps/
[4] https://bluebox.com/blog/technical/trust-managers/

Additional Resources

• Follow Bluebox on Twitter @BlueboxSec
• Subscribe to the Bluebox blog
• Learn more at http://www.bluebox.com

About Bluebox Security
Founded in 2012 by a team of security experts, Bluebox Security provides the leading mobile app security and management solution. Pairing deep mobile security expertise with dynamic app management, Bluebox ensures that enterprise security moves at the speed of mobile. The cloud-based solution helps enterprises securely enable mobile by protecting apps, detecting threats and responding quickly to keep data secure. Bluebox Security has received a total of $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, Sun Microsystems co-founder, Andreas Bechtolsheim, SV Angel, and Google Board member Ram Shriram. The company is headquartered in San Francisco.