Security in mobile apps sometimes overlooked
13 JANUARY 2016 7:55 AM
Hotel mobile apps can be a point of vulnerability if a company doesn’t take the proper security measures.
REPORT FROM THE U.S.—Hotel company apps can be a source of great convenience for guests, doing everything from helping to track membership rewards, quickly make reservations and even unlock guestroom doors. But that convenience can come at a price in terms of possible security vulnerabilities, according to some technology experts.
While a series of high-profile data breaches for companies like Hyatt Hotels Corporation, Hilton Worldwide Holdings and the Trump Hotel Collection have centered on point-of-sales systems, one of the biggest security vulnerabilities at many hotels could be the smartphone carried by almost all of their guests.
Hotel company smartphone apps create a link between the guests’ phones and the hotels systems, and hotel companies must take steps to protect both their guests’ data and their own. And some information security consultants say what has been done thus far for in-app security may not be enough.
There are several factors that play into the hospitality industry’s current approach toward mobile app data security, according to Ted Harrington, executive partner at Independent Security Evaluators. There’s a heavy focus on compliance, downward pressure both internally and on vendors, and a widespread misunderstanding of methodology effectiveness, he said.
“Combined, these often result in security being a marginalized priority, which in turn reduces effectiveness against attack,” he said.
The problem with app security isn’t exclusive to the hotel industry, Harrington said. The security in mobile apps has improved over time, he said, but there are critical security flaws frequently introduced to many applications.
“This is even true in mobile applications that are high-value targets,” he said.
What’s at risk
Apps that link a guest’s phone to a hotel company’s computer systems can open up different vulnerabilities, Harrington said.
“For instance, loyalty applications protect primarily guest information, as well as the currency of loyalty points,” he said. “These assets are undeniably important to protect.”
That, however, is overshadowed by what mobile guestroom key solutions need to protect, he said, which include guest safety, guest property, hotel property, employee safety, guest privacy and brand trust. Those looking to attack these systems have a wide range of skill sets with different motivations and resources.
“A property thief may want to steal valuable physical possessions of guests, while organized crime may want to extort hoteliers by threatening to lock all guests in or out of their rooms,” Harrington said. “Both can be accomplished by attacking mobile key solutions, and each requires a different defense tactic.”
For a rewards-program app, the security issue depends on how guests treat their rewards points, said John Bell, founder and president of IT consulting company Ajontech and who previously worked in IT with Marriott International. If a guest treats their points like money, they’ll want it protected so someone else can’t see the balance, he said, which means that information should be encrypted on the device or stored elsewhere. Reward points information on the phone should require authentication prior to the guest spending them, he added.
“If the user doesn’t have to authenticate to an app to unlock the (hotel) door, then the door is vulnerable if the phone is lost, stolen or ‘borrowed,’” Bell said. “If the user does have to authenticate, then using the phone to unlock the door is now more complex than simply presenting an RFID key.”
Convenience doesn’t work with security, he said, and hoteliers and guests must pick one or the other.
Identifying the problem
Hotel apps tend to focus on the guests’ experience, Harrington said, and he has seen great strides in this area both as a technology enthusiast and as a frequent hotel guest. However, there isn’t enough emphasis on safeguarding the valuable assets the apps collect or provide access to, he said. As more mobile key solutions are rolled out, this will exponentially multiply industry risk.
The ongoing problem is that many mobile apps falter in consideration of secure design principals, Harrington said, which leads to exploitable vulnerabilities in security-critical areas, such as authentication and authorization. This is most likely because the company didn’t prioritize security, didn’t build security into the development process, allocated insufficient financial and manpower resources, misunderstood the methodology effectiveness and/or relied too heavily on automated tools, penetration testing and compliance.
There is a lack of understanding about what needs to be secure within an application, Bell said. People don’t want to log in to an app on their phone to unlock their guestroom door, so many app builders don’t require a login and assume access to the phone is the key.
Sometimes hoteliers unintentionally open themselves up to risks through their eagerness for mobile capabilities. If a hotel company uses a third-party developer to create an app for it, the developers may open the hotel’s firewall to allow the mobile app to connect to the hotel’s otherwise secure systems. In this case, the app itself isn’t the problem, it’s the hole in the firewall, Bell said, but hoteliers who don’t understand the security involved here unwittingly make themselves vulnerable.
“It’s easier to compromise a system if you made it available on the Internet,” he said.
Addressing these security concerns from a technical perspective is challenging but doable, Harrington said. Hotel companies should build a threat model, build security into the development process and use effective security assessment techniques to harden systems on a regular basis.
Doing this requires a change in mindset. The hospitality industry is “an intensely price-sensitive industry,” Harrington said, and security is not yet seen as the business enabler that other industries have come to consider it, so companies try to minimize security costs.
There’s also misunderstanding about how effective their security approaches are, with an over reliance on penetration testing, compliance and best practices. These approaches are not thorough enough to defend against a skilled adversary, he said.
“Any mobile application that provides access to valuable assets absolutely needs to undergo intensive, manual, white box security assessment,” he said. “Security needs to be considered not just at or after deployment, but rather it should be baked into the entire build process, from requirement gathering and onward.”
As someone who doesn’t believe people should store credit card information on their phones, Bell said there isn’t much a hotel app would need to protect if vital information is stored somewhere else. That said, he does think there are ways to improve hotel app security.
If a company is building its own mobile app, the company needs to assess the value of the data the app will store, he said. The software developers should store it appropriately either on the users’ phones or on the company’s servers. Ninety-nine times out of 100, creating a hole in an individual hotel’s firewall is a bad decision, Bell said.
When working with a third-party software developer, Bell recommended using a contract from the non-profit OWASP Foundation that can make the developer certify certain things about security, spell out their responsibility for fixing problems as they are discovered, perform testing and more.
Sidebar: A real life scenario
As a professional software developer, Randy Westergren considers security research a hobby of his, especially when it comes to the apps and software he personally uses. In January 2015, Westergren decided to explore his Marriott International app prior to his upcoming reservation. Westergren said he monitored the communication between his Marriott app and the Marriot servers.
“I identified a lack of authorization checking, meaning it didn’t matter if I was logged in or not,” he said. “I could ask the servers to give me the reservations for this reservation number.”
The reward member numbers were sequential, Westergren said, so he could take his number, subtract one from it and then check out the next account. An attacker could strip those out and automate the process, he said. This produced a foothold for him, Westergren said, and while there wasn’t much he could do with the process itself, the information the vulnerability leaked would let an attacker access sensitive information about Marriott customers.
“The crucial information that was leaking was the reservation number and the last name of reservation holder,” he said. “With those two, you can manage reservations on the Marriott website. When you visit as a normal customer, you provide these two pieces of info, and you can cancel the account, see how they paid, see the last four digits of credit card number and some contact info.”
As it turned out, Westergren found this vulnerability was available through the Marriott app as well as its regular website.
Westergren said he set out to contact Marriott in order to let them know about the problem. It took a few weeks to find the right person and to get the company’s attention, he said, but that’s a common experience he has when contacting companies about a security issue.
“They fixed it,” he said. “I believe it was about 24 hours after I reported the details of the vulnerability itself.”
Sara Conneighton, a senior manager of consumer public relations for Marriott, said the company typically does not comment about security as it relates to the company and its systems. She did confirm, however, that Marriott was the author of a comment left on a post Westergren wrote on his website about his findings.
In the comment, a Marriott representative wrote that the company has a longstanding commitment and protocols in place to protect the privacy of its customers and the information entrusted to it. The company found no evidence of any hacking that resulted from the vulnerability. It also thanked Westergren for letting Marriott know about the problem.