With a security breach on Apple’s App store and widely publicised security flaws in popular travel apps, what should travel businesses do? Andrew Hennigan reports

Earlier in the year unknown hackers sneaked malicious code for the first time into apps available from Apple’s App Store. Every app available through the app store is carefully vetted by Apple software engineers, but for some apps this wasn’t enough.

Though they had been created by respected companies, their software developers had inadvertently used a counterfeit development tool called XcodeGhost – a modified version of Apple’s own Xcode tool that was easier to download locally than the original. This tool added malware to ‘phish’ for confidential data and stole passwords. The security leak was quickly fixed and all the infected apps removed. But the high-profile incident made companies everywhere more aware of the risks posed by mobile apps.

But what are these risks exactly and what can travel businesses do to minimise their exposure?

“Travellers using any app to organise their journey are exposed to a number of risks,” says Vishal Patel, a senior engineer at the New York app developer Fueled.”

Most obvious is the loss of personal data, which could be used for fraud. But travel apps have an additional layer of valuable data that goes beyond financials. They know the whereabouts of their clients, so they have this extra layer of important, personal information to protect.

Network connections are also a hazard for any mobile app. “The number one issue for travellers is connecting to unsecured wireless networks or cellular networks,” says Andrew Blaich, Lead Security Analyst at Bluebox Security, a San Francisco based app security company.

“Your mobile device trusts hundreds of third parties and certification authorities that are responsible for ensuring communications are secure and private. However, some countries manage their own certification authorities, meaning that if they wanted to be malicious they could read all the encrypted traffic to and from your phone unless the app is being very strict about which certifications it trusts”.

Business risks

For business travellers an additional risk for their employers is the widespread adoption of corporate Bring Your Own Device policies, where employees use their own smartphone for work, meaning that approved and vetted company apps work alongside anything the employee has downloaded, exposing company data to potential risks if an insecure app is downloaded.

There is also the risk of devices simply being lost or stolen and data extracted physically. “Some apps don’t encrypt the data they save on devices,” says Blaich, “If this device is confiscated, stolen or lost the data on it can be stolen by whoever finds the phone.”

New devices like smart watches bring new risks of their own.

“Properly configured, a smartwatch is just as secure as a smartphone,” says Patel. “But the more places data lives, the more opportunities there are for a security breach of any kind.”

These breaches could be from something as simple as a stranger reading personal information from the display, to physically accessing the device, remotely accessing it or smartwatch app bugs that leak information.

Keeping safe

Avoiding risks is partly technical and partly being careful where things come from.

“Just as with any digital product that contains sensitive information, companies should adhere to security best practices,” explains Patel.

These include steps like:

• Encrypting data both on the device itself and the server
• Creating a checklist to ensure that all software used by developers for debugging is removed before the app ships
• Using secure connections and certificates to know where information is coming from
• Create thoughtfully secure products and use third-party security auditing services to verify that their products are secure