Southwest Airlines iPhone App Unencrypted, Vulnerable To Eavesdroppers 139
New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.)
davidstites continues: "This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel.The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found here. Additionally, some local NBC and ABC news stations and the Denver Post covered this story."
I blame Denver Internation Airport ... (Score:5, Insightful)
... because I'm just looking for someone else to blame, too. But there is this big WTF:
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.
It doesn't have to be unencrypted to be free.
What about the review process. (Score:5, Insightful)
I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.
Re:What about the review process. (Score:4, Insightful)
Re:Part of this is because of US Export Restrictio (Score:2, Insightful)
This may be true, but cannot be considered an acceptable excuse for a multibillion dollar corporation like Southwest.
And to get back to OP's findings...I hesitate to downplay this since it's fundamentally bad security, and I love a good public flogging as much as the next security nerd, but calling this "shocking" and speculating on how it could facilitate terrorism is a little bit extra.
Re:Part of this is because of US Export Restrictio (Score:5, Insightful)
You're interpreting it correctly. The rest of the world, including terrorists living in caves, are perfectly capable of implementing encryption on their own. And instead of helping or protecting Americans, so-called "export controls" are aimed squarely at the US populace. US companies are prevented from taking basic steps to protect online privacy for exactly the same reason that mild external threats are hyped and used as justification to strip other rights from US citizens -- the US is a fascist, occupation government with absolutely no regard for the rule of law.
Re:why make this public? (Score:5, Insightful)
Why make it public?
Because people using this app should know, since the company behind the app isn't doing shit to remedy what could be a serious problem.
Re:What about the review process. (Score:5, Insightful)
But from the non technical user's POV, they trust Apple to look out for them. They see the app right there in the store, and rightly make an assumption that Apple have made all the neccessary checks of that app to ensure the user is kept out of harms way.
The curated environment Apple has crafted gives the impression of safety, security and trustworthiness. Incidents like this make people question that trust.
And this matters why? (Score:2, Insightful)
My boss at the time told me to drop it, after he took them to dinner... told me a great story about it:
After discussing the issue over dinner, I dropped my credit card on the table to pay. The Southwest guy asked me "Do you know what you just did?"
I replied "I'm paying for our dinner!"
Southwest guy chuckles and said "you just handed your credit card to a 19 year old girl who probably has a crack head biker boyfriend waiting behind the restaurant to take your credit card number. Do you feel at risk?"
Boss man chuckles and said "not really, no"
Credit card companies take the heat when you expose CC info.
Not saying Southwest is right here, but there are security risks and business risks. If southwest thinks soaking the credit card companies vs spending money on something that isn't going to be on them in the first place makes sense, thats what they are going to do, and all the scary security talk in the world isn't going to change that.
Besides, evaluating an app isn't the same as looking at the entire process behind what goes on behind the curtain. Maybe the app is insecure with your account login info, but what does that actually get you if you log in as someone else? Your going to buy tickets under someone else's name, and not be able to use them because faking your ID to get on a plane now brings you to the attention of home land security ?
IMHO, app security will always be a joke, because it's an app. If your going to assume it's used in an uncontrolled environment, it shouldn't have access to sensitive information in the first place. So, not an 'app' issue, so much as poorly conceived workflow and architecture issue.
Re:I blame Denver Internation Airport ... (Score:5, Insightful)
The discussion is about encryption to Southwest, not to the nearest wifi router. Only encrypting to the nearest router would be equally stupid. They are talking about SSL, not WPA.
Re:So it goes (Score:3, Insightful)
Why did the summary leave out child pornographers? If you are going to take the time to describe how terrorists are going to use this vulnerability to fly, you also need to describe how child pornographers will also use this vulnerability to either fly to their victims or get their victims to fly to them.