By: Jan Sysmans, Mobile App Security Evangelist, Appdome
The current post-pandemic era has seen countries across the world reopen their borders and relax movement restrictions. And with it comes the desire for people to travel and make up for lost time after being cooped up in their homes. Travel recovery has risen in tandem with the increasing use of mobile travel apps, such as airline apps, hotel apps, and ride-hailing apps. The last thing everyone wants now is for hackers and fraudsters to ruin the experience by defrauding both travelers and travel companies because the aforementioned mobile apps are poorly protected.
Mobile Travel and Booking Apps typically include different elements that are of great value to hackers, such as personally identifiable information (PII), passport and credit card info, immigration information, and could also include other sensitive information stored in the app insecurely, such as login credentials. And finally, there are loyalty points, which can be converted into valuable travel experiences by unauthorized individuals.
All this information needs to be secured to protect tourists and service providers during the time of intense travel.
Safer bookings for more satisfying revenge travel
But here lies the dirty little secret that app makers struggle with. Because there is a shortage of development talent and because coding security is a complex process, app makers often prioritize features over mobile app security. This can eventually lead to an increased frequency of cyberattacks, including click fraud, synthetic fraud, data harvesting, account take overs (ATOs), loyalty point fraud, mobile malware or trojans (fake apps), and more. When that happens, everyone loses; app makers suffer in the form of revenue loss, declining brand trust, increased customer churn, and regulatory penalties, and consumers suffer in the form of stolen data, loss of funds, identity theft and much more.
With mobile security, app makers can protect transactions and data, which lessens hackers’ abilities to identify future targets. Moreover, a report by Gartner finds that organizations with a strong privacy standard are able to utilize data broadly, differentiate themselves from their competitors, and build trust with customers and stakeholders. As a result, service providers can enjoy unparalleled growth that will push them ahead of their rivals.
The top six cyberattacks to watch out for
- Code analysis tools (Static and Dynamic Reverse Engineering)
Travel booking apps typically handle sensitive data, which includes customers’ PII and travel itineraries. This makes them a prime target for hackers. Reverse engineering and decompilers are typical methods that enable attackers to locate and extract information from the app’s source code as well as learn the app’s logic. By combining code obfuscation solutions with RASP protection, app makers can protect the app and users from malicious reverse engineering that hackers use to compromise the app and launch more effective downstream attacks (incluidn g ATOs, credential stuffing, accessing privileged backend systems and more).
- Data Harvesting
Generally, customer data can be stored in various places inside a mobile application, such as within the application sandbox, or as plain -text ‘strings’ throughout the source code. This makes them very easy to locate and target through various means, such as reverse engineering, man-in-the-middle (MitM attacks), using malware or more. The globally recognized PCI Data Security Standard (PCI DSS) was created specifically to guide service providers on how to safeguard payments and other financial transactions against these types of attacks.
- Man-in-the-Middle (MitM) attacks
There are many ways in which data can be intercepted, compromised or stolen while ‘in transit’ as it travels between the mobile application and the backend systems to which the mobile app connects. Attackers use methods like compromising or forging digital certificates, intercepting traffic using a MitM proxy, or even using malware such as screen overlays to trick users into entering sensitive data directy to systems that the attacker controls. There are a number of tools that organizations can rely on to prevent such incidents, including TLS/SSL certificate validation, certificate pinning, CA verification, and malicious proxy detection and much more.
- Screen overlay attacks and keyloggers
Hackers and fraudsters can also use app overlay and keylogger attacks to harvest keystrokes and other input data. Together with the harvested PII stored in the app, this is the first step in ATO attacks that lead to identity theft and malicious transactions.
- Jailbreak and rooting prevention
Hackers jailbreak iOS & root Android devices to unlock/control the OS and escalate administrative privileges. Once they control the OS, they usually try to disable security protections and launch a slew of other attacks. The best way to protect apps and their users is to prevent them from running on a jailbroken or rooted device.
- Loyalty Point Fraud
Loyalty point fraud is often discarded as a minor risk, but ask any frequent flyer or premium hotel guest, and they will tell you that they consider their loyalty points to be valuable currency. Similarly, travel companies that accept reservations using loyalty points forego revenue when allowing travelers to book with points. There are many ways that fraudsters can target mobile users and companies, and the best way to protect against this kind of fraud is with a combination of blocking dynamic instrumentation, code injection, and memory editing in addition to standard protections like encryption, jailbreak/root prevention, code obfuscation, and RASP (runtime application self-protection).
Don’t Delay on Mobile App Security
With more people looking to travel to their favorite destinations, mobile booking and travel apps provide consumers with the convenience of booking trips or hotels from the palm of their hands. But cyber attackers are constantly lurking in the shadows. By implementing a comprehensive mobile security strategy, app makers can ensure that their customers’ travel plans don’t get ruined by hackers and fraudsters.
