has found massive security and privacy breaches in the 30 most used travel and price
Zimperium (report here) found that of the 30 most used apps that 45% of Android apps and 100% of iOS apps get a failing grade in protecting users’ privacy and that 97% of Android apps and 100% of iOS apps do not provide proper security. It won’t name and shame – yet.
The company used its Zimperium z3A unique mobile security technology to analyse privacy and data leakage. It found
Zimperium Privacy Risk Key Findings:
97% (29 apps) can take screenshots of the full
UI, enabling an attacker to understand everything from installed apps to
73% (22 apps) implement pin-point location
functionality that Apple only allows in navigation apps.
17% (5 apps) attempt to access contacts from
Address Book, exposing these records to theft and abuse.
10% (3 apps) access phone call history. There is
no reason for a travel app to need this information, and it can expose it to an
7% (2 apps) use an insecure content provider;
this allows other applications (e.g., a malicious app) on the device to
potentially steal data from these travel apps.
Security Risk Key Findings:
100% (30 apps) have an authentication method
that can be used to override SSL and TLS chain validation. This can allow
attackers to intercept the communication of sensitive data between the app and
7% (2 apps) implement an over-the-air app
installation method which circumvents Apple’s review process and can enable the
installation of unvetted and potentially malicious functionality.
57% (17 apps) enables the injection of Java
objects at runtime, which an attacker can leverage to inject malicious code as
57% (17 apps) enable WebView to execute
a common attack vector that has been exploited by many zero-day vulnerabilities
(e.g., Pegasus, Stagefright).
53% (16 apps) have functionality that can allow
attackers to more easily create imposter apps that users unknowingly download
(e.g., the fake BBC app Zimperium detected).
20% (6 apps) enable the installation of unvetted
and potentially malicious apps, code and files from remote locations.
GadgetGuy’s take – so-called travel booking and price comparison websites are spying on you and selling your data
Zimperium does not need to name and shame – the mere fact
that these are, ‘30 of the world’s leading travel applications’ says it all.
What can you do? If you have installed any travel or price comparison
app uninstall them now. If you must use them carefully, check permissions and
disable them all. A price comparison app does not need to know your location, access
your contacts, make calls or anything else.
But the interesting thing is that iOS apps were worse than Android ones, and that means hackers have quietly been exploiting the so-called iOS security for some time. This goes against everything Tim Cooks says!