Mobile applications are a hot target for hackers today. There has been no shortage of vulnerability disclosures with popular apps that have been hacked to disclose user credentials, credit card numbers or steal private information. I have always been curious about the security stance of Airline mobile apps. These apps can include social security numbers, passport numbers, boarding passes and credit card information just to name a few. Just recently (August 28, 2018), Air Canada notified its customers for “unusual login behavior”: (Read More).

“There are approximately 1.7 million Air Canada mobile App user profiles, and our investigation has determined that approximately one per cent or 20,000 profiles may potentially have been improperly accessed.”

And a week later (September 9, 2018), British Airways also announced that they had been breached: (Read More)

"No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline's mobile app."

In an effort to gauge the potential risk, I took a closer look at Airline mobile apps on iOS and Android. With the help of the Fortify Mobile Research Team, we performed binary vulnerability analysis across publicly available mobile apps from 30 major airlines around the world (30 iOS and 30 Android). As a result of the analysis, we found that every mobile app had at least 1 vulnerability.

Testing methodology

This testing performed was binary analysis based on current versions from the app stores. No source code was analyzed and no server-side testing was performed. All findings are anonymous as to not disclose any specific airline in this report.

Android Vulnerabilities

Weak Singing Certificate - The certificate used for code-signing the application has an insufficient key size or weak hashing algorithm. The weak cryptography increases the likelihood of an attacker's ability to impersonate the original code-signing certificate.

- The certificate used for code-signing the application has an insufficient key size or weak hashing algorithm. The weak cryptography increases the likelihood of an attacker's ability to impersonate the original code-signing certificate. Updated Security Provider Not Used - The application does not utilize the Google Play Services to update the security Provider leaving the application exposed to older known OpenSSL vulnerabilities and weaknesses.

- The application does not utilize the Google Play Services to update the security Provider leaving the application exposed to older known OpenSSL vulnerabilities and weaknesses. SQL Injection (Client-Side) - The inspected application uses client-side SQL queries that are populated with dynamic input via format strings. If the dynamic input is derived from untrusted sources such as user input from the query string, form fields, or HTTP headers, then SQL injection may be possible.

- The inspected application uses client-side SQL queries that are populated with dynamic input via format strings. If the dynamic input is derived from untrusted sources such as user input from the query string, form fields, or HTTP headers, then SQL injection may be possible. Missing APK Signature Scheme v2 – The application does not use APK Signature Scheme v2 which strengthens the integrity guarantee by increasing the coverage of data protected by the signature.

– The application does not use APK Signature Scheme v2 which strengthens the integrity guarantee by increasing the coverage of data protected by the signature. Vulnerable 3 rd Party Software - A 3 rd party library version with known vulnerabilities is used by the application.

- A 3 party library version with known vulnerabilities is used by the application. Android Debug BuildConfig - Debug versions of code can contain detailed logging messages, non-production assets and differences in behavior that can pose a security risk if they are deployed to production.

- Debug versions of code can contain detailed logging messages, non-production assets and differences in behavior that can pose a security risk if they are deployed to production. Application uses HTTP Basic Authentication – Basic authentication reveals a user’s username and password in clear text when not using HTTPS (and could vulnerable to a man in the middle SSL attack).

iOS Vulnerabilities

Weak Crypto - Upon binary analysis a weak cryptographic algorithm was found imported by the application. These methods are deprecated and have known security weaknesses.

- Upon binary analysis a weak cryptographic algorithm was found imported by the application. These methods are deprecated and have known security weaknesses. Sensitive Information Disclosure - One or more of the files within the source code or binaries contains pathing information that identifies parts of the development environment. This information may contain such information as name and username which may be useful to an attacker for reconnaissance prior to the start of a spear-phishing attack.

- One or more of the files within the source code or binaries contains pathing information that identifies parts of the development environment. This information may contain such information as name and username which may be useful to an attacker for reconnaissance prior to the start of a spear-phishing attack. SQL Injection (Client-Side) - The inspected application uses client-side SQL queries that are populated with dynamic input via format strings. If the dynamic input is derived from untrusted sources such as user input from the query string, form fields, or HTTP headers, then SQL injection may be possible.

- The inspected application uses client-side SQL queries that are populated with dynamic input via format strings. If the dynamic input is derived from untrusted sources such as user input from the query string, form fields, or HTTP headers, then SQL injection may be possible. Disabled App Transport Security - Disabling App Transport Security (ATS) partially or entirely may expose the application to network attacks.

- Disabling App Transport Security (ATS) partially or entirely may expose the application to network attacks. Application Utilizes Shared KeyChain - The application has a shared keychain. Data stored in the shared keychain may be viewed by other applications in the same access group (which only includes applications with a common bundle seed ID).

- The application has a shared keychain. Data stored in the shared keychain may be viewed by other applications in the same access group (which only includes applications with a common bundle seed ID). Allows Unsafe SSL Connections - Application uses HTTPS or SSL connections that allow for vulnerabilities in certificates. These vulnerabilities include using any HTTPS certificate for a host, using expired certificates for a host, using any root domain in the certificate path, or having no authentication challenge with a HTTPS/SSL connection

Why Does This Happen?

There are different kinds of vulnerability categories such as network, hardware or developer issues. The type of issues identified in these airline mobile apps are common developer mistakes. They could have been avoided by using developer best practices and a thorough SDLC process. There are a few reasons why this happens, two major factors are:

Mobile developers are under a great deal of pressure to release mobile apps to market. Often times security takes a back seat over features. Mobile developers often do not have security training and fully understand the risks associated with coding decisions. Making a mobile app these days is incredibly easy, so inexperience also factors in.

Conclusion

The analysis we performed only scratches the surface of potential mobile app vulnerabilities. A full assessment would include network testing for things like 3rd party data leakage and unsafe connections. It would also include a test of the backed API. Here we would find vulnerabilities such SQL Injection, parameter manipulation and logic flaws.

Read More

To learn more about Fortify and mobile security offerings, please visit https://software.microfocus.com/en-us/solutions/mobile-app-security

OWASP Mobile Security Testing Guide

https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

Contributors

Ray Kelly – Practice Principal @vbisbest

Aday Rodriguez – Mobile Security Researcher