Airlines’ mobile apps typically contain an average of 21 vulnerabilities each and transmit data over multiple unsecured connections, researchers find.
The mobile apps distributed to customers by major airlines are typically riddled with security vulnerabilities, a review has found.
The bugs are all the more concerning since the apps in question typically handle sensitive information including passport and payment card details.
The audit by Montpellier-based mobile security firm Pradeo looked at the top 50 most used airline apps worldwide, primarily from North America, Western Europe and Eastern Asia.
The company said the data privacy issues exposed by the audit were “alarming”.
It found that nearly half, or 49 per cent, of the applications, make use of a device’s location details, image gallery and contacts list.
One-third send the personal details thus obtained over the network, with transmissions occurring in most cases over uncertified connections.
The apps use an average of 14 unsecured connections to servers, thus exposing data to the risk of theft, Pradeo found.
The study also found an average of 21 security vulnerabilities per application, which Pradeo said could be due to pressure to get apps to market quickly.
The figure was “a very high number when put in conjunction with the sensitivity of the information manipulated”, Pradeo said in an advisory.
The 10 vulnerabilities most commonly detected in the sample create the risk of denial-of-service attacks, data leakage and man-in-the-middle attacks, Pradeo said.
Nearly all the apps, some 98 per cent, included a bug that gives permission for other apps to bypass some security restrictions, potentially giving them access to sensitive data, according to the firm.
It said other weaknesses could allow SQL injection attacks, denial of service or the interception of data.
British Airways and Cathay Pacific are amongst the airlines that have uncovered hacks affecting customers’ personal data in recent months.
Last September British Airways found a hack of its website and mobile app had exposed the data of thousands of customers during the peak August travel season.
In October, while investigating the first attack, the airline uncovered the theft of an additional 185,000 users’ payment details.