By Jan Sysmans, Mobile App Security Evangelist, Appdome
For most people, travelling is not just a fun and relaxing activity. It also opens their eyes to new experiences, be they places, food, music, or activities. India is a perfect example of this duality, boasting something for every kind of traveller thanks to its diverse and rich cultures. Even in 2021, before the post-pandemic travel boom, India’s travel and tourism industry generated a hefty USD178 billion, so said the India Brand Equity Foundation (IBEF). Furthermore, upgrades to infrastructure and increasing access to passports are expected to contribute to India’s airline travel market doubling in value by 2027.
During this time, we will likely see more travellers use airline apps, which offer a convenient way to book flights within the palm of their hands. However, each new booking presents cyberattackers with more victims to target as well as opportunities to advance their own nefarious goals. Therefore, app makers need to double down on their security if they want to retain their customers and gain an advantage over their business rivals.
How safe is customers’ data?
Through countless pen tests, security researchers have been able to identify multiple vulnerabilities that put travellers’ data at risk. In particular, researchers discovered an exploitable API endpoint, which gave them access to information that was either referenced or retrieved by the app. This vulnerability, known as ‘indirect object reference,’ allowed researchers to find the app’s recordLocater that contained airline reservations as well as mileage numbers that referenced upcoming flights. Further complicating matters, researchers also discovered that airline apps had weak signatures and insecure SSL connections that made stealing data even easier.
These findings should be a wake-up call for app makers to start reinforcing their mobile security. This is because a successful attack can enable hackers to steal user identities, make unauthorised credit card payments, find new targets through contact details, and even modify or cancel flights.
Security must-haves for airline apps
Reducing successful attacks and ensuring worry-free flights for travellers requires app makers to adopt the following five key measures:
Blocking reverse-engineering tactics
Reverse engineering allows attackers to look under the hood and find out how apps work. With this information, it becomes easier for hackers to create effective attacks that can exploit vulnerabilities and cause as much damage as possible.
To prevent hackers from relying on these tactics, app makers should employ anti-debugging and code obfuscation tools designed to prevent the disassembly and decompilation of apps to access the source code.
Ensuring a secured registration experience
Stealing travellers’ personal information and booking details is easy to the point where hackers can simply use overlay and keylogging attacks to covertly intercept inputs without having to breach the app.
Should these attacks occur, app makers need to either shut down their services or inform users of the right measures to prevent hackers from accessing their information. Furthermore, developers and security personnel also need to install anti-spyware solutions that can curtail hackers’ efforts to attach overlay malware or keyloggers inside the app.
Eliminating fake accounts and transactions
Emulators, which mimic mobile app behaviours and functions, give hackers the means to create fake accounts. From there, they can launch credential stuffing attacks in which they will input different passwords either to gain access to legitimate ones or lock users out of the mobile service. Furthermore, by pairing emulators with auto-clickers, attackers can also conduct unauthorised transactions, depriving travellers of their hard-earned money.
Security teams can reduce the number of fake accounts and transactions by utilising synthetic fraud solutions designed to prevent apps from running in emulated environments or virtual devices.
Safeguarding airline loyalty points
Frequent flier miles allow users to treat themselves to exclusive benefits, be they free tickets, food and beverages, or priority check-ins. However, if these points are stolen or erased, it can demoralise travellers who have spent weeks or months saving them up.
In addition to preventing the running of apps in emulators, security teams also need to build defences that block dynamic instrumentation tools such as Frida. With these measures in place, attackers will have a harder time manipulating loyalty point values.
Restricting app usage in hacked operating systems (OS)
Jailbroken or rooted mobile devices can give hackers full control over the OS, which they can then exploit to disable existing mobile protections and expose apps to all sorts of attacks. By integrating jailbreak and rooting prevention solutions, app makers can be alerted to these threats and lock down their apps so that hackers can’t use them.
Travellers want to have the best time of their lives when flying to their destinations, and the last thing they need is cyberattackers ruining that experience. This is why implementing the following security measures is crucial, as they allow app makers to create safer and more memorable journeys while also encouraging the growth of India’s travel industry through reduced cyber threats.
