Zimperium has found massive security and privacy breaches in the 30 most used travel and price comparison apps.

Zimperium (report here) found that of the 30 most used apps that 45% of Android apps and 100% of iOS apps get a failing grade in protecting users’ privacy and that 97% of Android apps and 100% of iOS apps do not provide proper security. It won’t name and shame – yet.

The company used its Zimperium z3A unique mobile security technology to analyse privacy and data leakage. It found

Zimperium Privacy Risk Key Findings: 

Zimperium

iOS: 

  • 97% (29 apps) can take screenshots of the full UI, enabling an attacker to understand everything from installed apps to credentials. 
  • 73% (22 apps) implement pin-point location functionality that Apple only allows in navigation apps. 
  • 17% (5 apps) attempt to access contacts from Address Book, exposing these records to theft and abuse. 

Android:

  • 10% (3 apps) access phone call history. There is no reason for a travel app to need this information, and it can expose it to an attacker. 
  • 7% (2 apps) use an insecure content provider; this allows other applications (e.g., a malicious app) on the device to potentially steal data from these travel apps.

Security Risk Key Findings: 

iOS: 

  • 100% (30 apps) have an authentication method that can be used to override SSL and TLS chain validation. This can allow attackers to intercept the communication of sensitive data between the app and the Internet. 
  • 7% (2 apps) implement an over-the-air app installation method which circumvents Apple’s review process and can enable the installation of unvetted and potentially malicious functionality.

Android: 

  • 57% (17 apps) enables the injection of Java objects at runtime, which an attacker can leverage to inject malicious code as well. 
  • 57% (17 apps) enable WebView to execute JavaScript code. This could potentially allow an attacker to introduce arbitrary JavaScript code to perform malicious actions or exploitation. This is a common attack vector that has been exploited by many zero-day vulnerabilities (e.g., Pegasus, Stagefright).
  • 53% (16 apps) have functionality that can allow attackers to more easily create imposter apps that users unknowingly download (e.g., the fake BBC app Zimperium detected). 
  • 20% (6 apps) enable the installation of unvetted and potentially malicious apps, code and files from remote locations.

GadgetGuy’s take – so-called travel booking and price comparison websites are spying on you and selling your data

Zimperium does not need to name and shame – the mere fact that these are, ‘30 of the world’s leading travel applications’ says it all.

What can you do? If you have installed any travel or price comparison app uninstall them now. If you must use them carefully, check permissions and disable them all. A price comparison app does not need to know your location, access your contacts, make calls or anything else.

What with Trivago copped for deceptive advertising (thanks ACCC) and price comparison websites, in general, lower than a dachshund’s undercarriage (again, thanks ACCC) readers must know if the service is free the product is you.

Free servuices

But the interesting thing is that iOS apps were worse than Android ones, and that means hackers have quietly been exploiting the so-called iOS security for some time. This goes against everything Tim Cooks says!

Zimperium