As the pandemic comes to an end, the world is ready to travel again with people using booking apps to book their travels. The online travel booking segment is one of the largest in the travel industry. It is estimated to be worth around $1.2 trillion annually, and the online booking market makes up 63% of that, or roughly $756 billion. Recent studies show that the travel market is expected to reach $833.52 billion in 2025. Millions of new travelers are booking flights, making hotel reservations, or paying for rideshare services through their mobile apps. In this blog post, we’ll discuss the top 6 cyber attacks and threats against travel & booking apps and how to solve them using cyber defense automation.
How to Protect Mobile Travel & Booking Apps Against Cyber Threats
As the travel market continues to grow, hackers and fraudsters will follow. And given the increasingly sophisticated nature of today’s cyber-attacks, it’s important for mobile brands to prioritize security and protect their users and themselves. With so much sensitive data being exchanged, it is essential to take steps to protect this information from cyber-criminals. Otherwise, cyberattacks can result in millions of dollars in lost revenue for companies. However, mobile app security is often overlooked in the booking app industry, increasing the likelihood of successful attacks. In a recent study conducted by Security Affairs in which researchers conducted security audits on top travel booking apps found a wide variety of security issues such as exposure of sensitive data and personally identifiable information (PII), including home addresses, credit card and bank account numbers, phone numbers, usernames, passwords, and session tokens, all of which could pose both a financial and physical risk to users.
Travel Industry Cybersecurity Checklist – Top 6 Cyber Threats for Mobile Travel & Booking Apps
-
Insecure Data Storage & Insufficient Data Encryption
Booking apps use and store sensitive data, including name, password, credential information, current travel plans, and upcoming trip information. Unfortunately, hackers and pen testers know where to find this data inside mobile apps, using wide variety of freely available and powerful open-source tools to reverse engineer booking apps to figure out where in the code important data is stored. A lot of this data is not encrypted by default, which means that anybody who can find the data will be able to read it. This means hackers can access critical information such as passwords, credential information, and other sensitive data using multiple techniques such as static and dynamic code analysis, or simply extracting or decompiling apps to access sensitive information stored inside the application strings or other parts of the source code. To prevent this, it’s recommended to (1) Obfuscate your iOS and Android apps to prevent hackers and pen testers from using disassemblers and decompilers to access the source code (2) Use data encryption such as AES 256 encryption to secure and protect all data in the App Sandbox, preferences, strings and other parts of the code.
-
Dynamic Runtime Attacks
Booking apps like Booking.com and Trivago make it easy for users to book and pay for hotel, car rental, and other aspects of a trip. Attackers can compromise apps to steal or harvest data used in mobile app transactions or even falsify mobile transaction data using malware, overlay attacks, key injection, method hooking and many other dynamic attack techniques. In addition, since payment is usually made through a credit card, booking apps are required to comply with PCI DSS to safeguard the transaction and protect against identity theft. The PCI Security Standard is an industry-standard that was created to protect businesses from becoming targets of cybercriminals.
-
Insecure Connections & MitM Attacks
In the cyber-security study mentioned above, popular booking smartphone apps were found to use the HTTP protocol to send and receive data. However because the HTTP standard lacks encryption, that means anyone with unauthorized access to the data, for instance via a malicious proxy or man-in-the-middle attack or many other attack methods, would be able to read, harvest or steal the data. Mobile developers can protect Android and iOS app connections using some combination of protections such as certificate validation, CA verification, malicious proxy detection, TLS version enforcement, and secure certificate pinning.
-
Overlay Attacks, Malware and Fake Apps
Malware is on the steady rise as a key weapon in attacking Android and iOS apps. Attackers leverage malware, key injection, method hooking, and overlay attacks to steal or harvest data used in mobile app transactions, or even to falsify mobile transaction data. Overlay attacks in mobile apps occur when malicious actors, typically with the assistance of malware, superimpose a fake graphical interface (overlay) on top of a legitimate app screen to deceive users into performing unintended actions. Fraudsters are also increasingly abusing legitimate mobile app functions, such as tricking users into approving permissions which malware then abuses, or intercepting accessibility events to take control over apps and achieve account takeovers. These attacks are often used to steal sensitive information, such as login credentials, credit card info, loyalty points, etc or to trick the user into enabling features that the attacker can later use to weaponize the app, escalate administrative privileges or plant a backdoor through which they can send payload updates to malware resident on the device. Using cyber defense automation, developers can safeguard travel and booking apps against Overlay attacks, mobile malware and many other tools, methods and techniques attackers use in mobile fraud operations.
-
Jailbreaking, Rooting and Other Privelage Escalations
The exposure of an individual’s location is a basic but often disregarded threat. In addition to locations and specific dates of where users will be, booking apps will use a user’s location data to find trips or services nearby. As a result, a person’s present, exact location may be known and can be used against or endanger the user. Hackers jailbreak and root iOS and Android devices in order to increase admin privileges, enabling them to gain access to location data. To overcome this threat, it’s important for mobile developers to build Jailbreak and Root Detection & Prevention into travel and booking apps to detect if your booking app is running on a jailbroken device which, would allow hackers to more easily compromise app or the data.
-
Compromising Insecure APIs
Booking apps connect with multiple systems to provide seamless user experiences. These systems often communicate with each other using APIs which allow different applications to communicate with each other and exchange data. APIs can be vulnerable to attack for several reasons. Firstly, each API represents a separate attack vector, if one API is not properly secured, it could be exploited by hackers to gain access to sensitive data or disrupt the app’s functionality. In addition, backend APIs are often targeted by malicious bots and botnet networks that attempt to compromise backend APIs as part of various automated cyberattacks, such as credential stuffing, DDoS, and account takeovers (ATO). If your travel processes transactions, then APIs are certainly a target. To protect your backend APIs, it’s important to consider a bot detection solution that has been designed to protect against threats in the mobile channel (which is where most of the users are). Your bot detection solution should also consider the mobile user experience and not impose a burden dev teams to make changes to the app’s source code.
Prevent Cyberattacks & Threats Using Cyber Defense Automation
As travel seems to be on the rise again, booking apps are becoming the popular and convenient alternative to desktop reservations. Mobile apps are the top choice to book, check-in, track, share, save, store and spend for any travel journey. Cyber Defense Automation for Mobile Apps offers mobile developers and cyber security teams a comprehensive, automated system to build, test, release and monitor mobile app defenses in Android & iOS apps in the DevOps CI/CD pipeline. Please contact us for a demonstration!
