Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Southwest Airlines iPhone App Unencrypted, Vulnerable To Eavesdroppers

timothy posted more than 2 years ago | from the one-more-path-to-id-theft dept.

Security 139

New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.)davidstites continues: "This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel.

The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.

Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped.

I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.

I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.

A full list of applications with vulnerabilities can be found here. Additionally, some local NBC and ABC news stations and the Denver Post covered this story."

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

So it goes (3, Funny)

AliasMarlowe (1042386) | more than 2 years ago | (#39011439)

So "Rapid Rewards" becomes "Raped Rewards". So it goes.

I blame Denver Internation Airport ... (4, Insightful)

Skapare (16644) | more than 2 years ago | (#39011463)

... because I'm just looking for someone else to blame, too. But there is this big WTF:

The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.

It doesn't have to be unencrypted to be free.

Re:I blame Denver Internation Airport ... (5, Informative)

hawguy (1600213) | more than 2 years ago | (#39011781)

... because I'm just looking for someone else to blame, too. But there is this big WTF:

The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.

It doesn't have to be unencrypted to be free.

Well, if you want a secure encrypted network, it's probably not going to be free.

There's only moderate additional security gained by having a WPA encrypted network where everyone has the same PSK since it's trivial to capture the association handshake (by forcing them to reassociate if neccessary) and steal the session key from anyone's session - Wireshark will do this for you. Alternatively, you can set up a hotspot on your laptop called "SouthwestAirlines" and nearby clients will connect to your laptop instead of the real Southwest network and you can capture all of their packets.

To make a secure encrypted network, they'd need to implement something like 802.1x security with unique username/passwords for each user and with Wifi clients configured to authenticate the network's 802.1x certificate (to prevent someone from setting up a rogue SouthwestAirlines access point).

Few providers of free Wifi service are going to be willing to run a helpdesk to assist all of the users with setting this up - it's not always trivial (depending on the device). So it's probably better to not provide the illusion of a secure encrypted network when it's not. The users that are sophisticated enough to set up 802.1x authentication on their device are probably also sophisticated to use a VPN to secure their data.

When I connect via an open Wifi network, I always VPN to my company or my home internet router so all of my wifi traffic is encrypted.

Re:I blame Denver Internation Airport ... (2)

ganjadude (952775) | more than 2 years ago | (#39011787)

On the one hand I do agree with you, it would be trivial to add encryption, but on the other hand, they dont HAVE to really offer wifi at all do they? The blame is solely with southwest in my eyes there is NO reason that user information should ever be sent in plain text when it concerns anything financial.

Re:I blame Denver Internation Airport ... (0)

tibit (1762298) | more than 2 years ago | (#39011799)

Please correct me if I'm wrong, but encryption doesn't mean much: if you can connect, you can sniff others, unless they'd use a ystem that can encrypt each user's connection with a key that's locally negotiated and not subject to sniffing. I don't know much about WPA2 to know if it provides such capability, but then note that there probably are devices that don't support WPA2.

Re:I blame Denver Internation Airport ... (4, Insightful)

LurkerXXX (667952) | more than 2 years ago | (#39013117)

The discussion is about encryption to Southwest, not to the nearest wifi router. Only encrypting to the nearest router would be equally stupid. They are talking about SSL, not WPA.

Re:I blame Denver Internation Airport ... (0)

Anonymous Coward | more than 2 years ago | (#39011805)

Yes, it mostly does have to be unencrypted to see any use, and it wouldn't be significantly more secure if it were encrypted. Encryption without authentication is all but useless. If you use pre-shared keys, then anyone can man-in-the-middle your connection. Let me say this so that the problem becomes absolutely apparent: A pre-shared key on a sign is a public secret. If you use any other method of authentication, then nobody is going to use the Wifi (OK, that would be secure.) The standard lacks an authentication method where a relatively short published string is used for access point authentication via public key cryptography.

Anyway, the proper approach to networking, especially wireless networking, is to treat the network as untrustworthy, hostile even. Encrypt the data, not the network.

Re:I blame Denver Internation Airport ... (1)

Smallpond (221300) | more than 2 years ago | (#39011939)

This is the problem that trusted certificates is supposed to solve. It prevents MITM because they supposedly can't generate a key with fake credentials. The problem is that certificates aren't used on most wi-fi networks because they are too much trouble to set up and too expensive.

Re:I blame Denver Internation Airport ... (1)

Anonymous Coward | more than 2 years ago | (#39012759)

I know. What's lacking is a *simple* way of authenticating an AP. Technically it's not a big deal: Just replace certificate authentication with a hash of a public key that you can put on a sign, perhaps in the form of a QR code. Then you can either have the user scan it, type it in or compare it to the hash that the computer displays upon connection. Generate session key, encrypt with the public key, send to access point, done. Unfortunately this protocol does not exist.

Re:I blame Denver Internation Airport ... (1)

spire3661 (1038968) | more than 2 years ago | (#39012023)

Generally, yes it does.

Part of this is because of US Export Restrictions (5, Informative)

spac (125766) | more than 2 years ago | (#39011465)

It's a pain in the behind to distribute apps with encryption code (even if all your app does is use SSL!) on the app store.

You need to go through hoops registering with the US government for an export license for every app you publish. When we built our software, we got hit with these requirements and had to go through a bunch of paperwork that really slowed us down and gave us a headache all because we communicate with only communicate with our web service via SSL.

It's ridiculous that there's no exemption for SSL usage on US export controls. It's just a pain in the ass for everyone in the process and you can't honestly claim that it prevents awfully dangerous tech from getting into the enemy's hands.

Re:Part of this is because of US Export Restrictio (1)

MoonBuggy (611105) | more than 2 years ago | (#39011505)

Just to check I'm interpreting this correctly: a well-defined algorithm in daily use across the globe is 'export controlled' if it happens to be implemented by a US company?

Re:Part of this is because of US Export Restrictio (4, Informative)

sgt scrub (869860) | more than 2 years ago | (#39011625)

Yep. You can't even preconfigure a server with openssl and ssl enabled if it is sold outside of the U.S. Pretty funny huh?

Re:Part of this is because of US Export Restrictio (1)

wwphx (225607) | more than 2 years ago | (#39012567)

I wonder if you could set up a shell office in another country and have them 'work on your code' to implement SSL.

Re:Part of this is because of US Export Restrictio (5, Insightful)

benjamindees (441808) | more than 2 years ago | (#39011637)

You're interpreting it correctly. The rest of the world, including terrorists living in caves, are perfectly capable of implementing encryption on their own. And instead of helping or protecting Americans, so-called "export controls" are aimed squarely at the US populace. US companies are prevented from taking basic steps to protect online privacy for exactly the same reason that mild external threats are hyped and used as justification to strip other rights from US citizens -- the US is a fascist, occupation government with absolutely no regard for the rule of law.

Re:Part of this is because of US Export Restrictio (1)

tqk (413719) | more than 2 years ago | (#39012387)

US companies are prevented from taking basic steps to protect online privacy for exactly the same reason that mild external threats are hyped and used as justification to strip other rights from US citizens -- the US is a fascist, occupation government with absolutely no regard for the rule of law.

Maybe it's just me, but I see the US as a bloated red giant star that's just finished burning up its fuel. It's about to collapse into itself going nova but has so far been held up by sheer momentum. It's already dead but doesn't realize it yet. I thought this silliness had gone the way of the dodo soon after the FBI wised up to what Phil Zimmerman was really doing.

Wow. Can we possibly get this over with before the presidential election? I'd like to avoid all of that if possible. I'm going to miss you guys. Bon chance.

Re:Part of this is because of US Export Restrictio (1)

X0563511 (793323) | more than 2 years ago | (#39013381)

Nope. It's leftover cold war bullshit, back when considering encryption a munition made sense.

But you can't be seen weakening our nation these days, can you? Hence it hasn't been killed yet.

Re:Part of this is because of US Export Restrictio (2)

Fnord666 (889225) | more than 2 years ago | (#39011929)

Just to check I'm interpreting this correctly: a well-defined algorithm in daily use across the globe is 'export controlled' if it happens to be implemented by a US company?

Yes. See the Electronic Code of Federal Regulations [gpoaccess.gov] (eCFR), Part 774 (Commerce Control List), Category 5, Part 2 (Information Security).

What I do wonder with regards to SSL or TLS is if you can get away with using it as long as your limit the key length? Is it possible to limit key lengths used to encrypt the data traffic on an SSL or TLS connection?

Re:Part of this is because of US Export Restrictio (1)

LurkerXXX (667952) | more than 2 years ago | (#39013141)

It's not export controlled if the algorithm is created/published in another country that doesn't restrict those type of exports. Which is why a bunch of guys from the U.S. fly up to Canada regularly when the work on new encryption types for OpenBSD.

Re:Part of this is because of US Export Restrictio (1)

Anonymous Coward | more than 2 years ago | (#39013015)

Yes, this is what it's like to live in a joke of a country.

Re:Part of this is because of US Export Restrictio (1)

Anonymous Coward | more than 2 years ago | (#39011515)

Fuck that. Just ship with the code. What's more likely to happen, your obscure app being noticed by bureaucrats or hackers?

Re:Part of this is because of US Export Restrictio (1)

tqk (413719) | more than 2 years ago | (#39012479)

Fuck that. Just ship with the code. What's more likely to happen, your obscure app being noticed by bureaucrats or hackers?

The problem with that is you forgot to take into account the legal system and lawyers. Bottom feeders love potential victims like you. They're patient, and they'll eventually find you.

Re:Part of this is because of US Export Restrictio (2)

Jon Stone (1961380) | more than 2 years ago | (#39011573)

Does the operating system not provide the SSL libraries? Or do you actually have to code the encryption routines into each application on iOS?

I would have thought the export restrictions would only apply to the SSL libraries, not the application that uses them.

Re:Part of this is because of US Export Restrictio (3, Informative)

spac (125766) | more than 2 years ago | (#39011991)

It seems that if you let the user transmit or receive encrypted data (even if it's just a login!) you need to get a license.

We use the built in iOS classes for HTTP requests that support SSL transparently. The US government still required us to register for export compliance. It's really senseless.

Re:Part of this is because of US Export Restrictio (1)

tqk (413719) | more than 2 years ago | (#39012541)

We use the built in iOS classes for HTTP requests that support SSL transparently. The US government still required us to register for export compliance. It's really senseless.

I think you misspelled "insane."

And, I wonder when the tsunami of refugees pouring across the 49th parallel into Canada, and the Rio Grande into Mexico, is going to start. Good luck containing that, DHS.

Re:Part of this is because of US Export Restrictio (1)

ArsonSmith (13997) | more than 2 years ago | (#39013069)

especially if you consider that that data is likely encrypted somewhere along the line anyway. Just transmitting something over the internet probably has an encrypted hop somewhere.

Re:Part of this is because of US Export Restrictio (0)

Anonymous Coward | more than 2 years ago | (#39012313)

It doesn't matter where the code is or how you use it. If you use cryptography you need to get the license.

Using libraries is actually a serious complication. Look up "crypto with a hole." Any product employing crypto with a hole will be prohibited from export for rather logical reasons. (Think this way: Explain exactly what your application does with encrypted data. Can you guarantee that if a shared library which implements crytography is replaced? ) It is actually very lenient of the US government to allow you to use SSL libraries in your product. That leads to and interesting situation requiring that you must leave the SSL hole totally open, meaning that you cannot simultaneously ship and install a particular SSL library along with your product. (You say you can use any SSL library, right? So why do you insist on this particular library? Did you ship a library with some special feature?) It is also important to note that using the SSL crypto libraries is not the same as using the SSL communication protocol. SSL is a communication protocol, plain text goes in and pops out at the other end as plain text. If you use the cryto libraries directly then you are performing cryptography and need to explain it and get an export license for that use.

Whatever crypto solution you use in your product you must get export approval which will involve explaining in detail how you use it in the product. The process has actually gotten much easier in the US during the last decade, but it is something that developers sometimes aren't aware of until the last minute.

Also, the US is not the only country that is very touchy about cryptography. Many countries have import restrictions that are even more difficult to satisfy than US export rules. For example, a few years ago you could not legally import into France an application that stored encrypted passwords or password hashes unless you provided a way to recover the plain text password. (I'm not sure if that has changed. I doubt it has been completely eliminated.)

Suggestion: If you use any cryptography in your application and want to export it from you host country or import it into another country then you should check the laws carefully.

Re:Part of this is because of US Export Restrictio (0)

Anonymous Coward | more than 2 years ago | (#39011585)

Southwest isn't an international airline anyway... the only people I know who use their iphone app are people who fly southwest (in the U.S.) at least once a month.

Re:Part of this is because of US Export Restrictio (0)

Anonymous Coward | more than 2 years ago | (#39011619)

They were lifted a decade ago as the web took off. True Korea and China still use activeX in any banking or ecom site but that is because users still use IE 6 so why bother changing to SSL? The same users still use IE because EBAY and their bank still require activeX because users still use it in a viscious cycle etc.

But legally Clinton resolved that. There is no excuse.

Re:Part of this is because of US Export Restrictio (1)

tibit (1762298) | more than 2 years ago | (#39011829)

WTF? eBay requires ActiveX? Since when? I don't recall PayPal ever requiring installation of an ActiveX control, much less eBay. I really think you're spreading misinformation...

Re:Part of this is because of US Export Restrictio (2)

Dogtanian (588974) | more than 2 years ago | (#39012275)

They were lifted a decade ago as the web took off. True Korea and China still use activeX in any banking or ecom site but that is because users still use IE 6 so why bother changing to SSL? The same users still use IE because EBAY and their bank still require activeX because users still use it in a viscious cycle etc.

WTF? eBay requires ActiveX? Since when? I don't recall PayPal ever requiring installation of an ActiveX control, much less eBay. I really think you're spreading misinformation...

I suspect that he/she meant in South Korea. Until recently, IE6 had a ludicrously high (98.6%) market share there [mozilla.com] . This is because around a decade back they got tired of waiting for the improved version of SSL and designed their own encryption called SEED [wikipedia.org] instead, which virtually all online commerce in the country used.

The Netscape SEED plugin was abandoned early on, leaving only the IE ActiveX SEED control supported. Hence everyone had to use IE. Since (for good security reasons), ActiveX use is more fiddly with later versions of IE, everyone there stuck with IE6.

Apparently this *has* started to change, and IE6's share has fallen drastically in the past 2 or 3 years, though IIRC it was still in the twentysomething percent range the last time I checked.

(Not sure what China has to do with it- SEED is pretty much only used in South Korea. Maybe the OP was getting confused)

Re:Part of this is because of US Export Restrictio (1)

tqk (413719) | more than 2 years ago | (#39012591)

WTF? eBay requires ActiveX? Since when? I don't recall PayPal ever requiring installation of an ActiveX control, much less eBay. I really think you're spreading misinformation...

'Sounds odd to me too. I've dealt with eBay and PayPal, and I'm pretty sure my Linux boxes don't do ActiveX.

However, if he uses Windows, it may. Don't know if it's required or not. Pretty seriously stupid, if so.

Re:Part of this is because of US Export Restrictio (2)

tqk (413719) | more than 2 years ago | (#39012635)

Goddamnit /., this sucks:

"One of the most overlooked advantages to computers is... If they do foul up, there's no law against whacking them around a little. -- Joe Martin"

Computers don't "foul up". Computers do exactly what they're told to do, to a fault!

Go watch 2010:A Space Oddyssey again until you get it, damnit!

[Grumble, mumble, rassafrackin', jiggafriggin', ...]

Re:Part of this is because of US Export Restrictio (1)

wwphx (225607) | more than 2 years ago | (#39012579)

I don't think so, unless eBay/China requires ActiveX. I'm on a Mac, and to the best of my knowledge Firefox doesn't run ActiveX controls.

Re:Part of this is because of US Export Restrictio (2)

John Hasler (414242) | more than 2 years ago | (#39011623)

It's ridiculous that there's no exemption for SSL usage on US export controls.

There is an exemption for Free Software. I agree that the controls are asinine, though.

Re:Part of this is because of US Export Restrictio (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39011631)

This may be true, but cannot be considered an acceptable excuse for a multibillion dollar corporation like Southwest.

And to get back to OP's findings...I hesitate to downplay this since it's fundamentally bad security, and I love a good public flogging as much as the next security nerd, but calling this "shocking" and speculating on how it could facilitate terrorism is a little bit extra.

Re:Part of this is because of US Export Restrictio (0)

Khyber (864651) | more than 2 years ago | (#39011789)

"I love a good public flogging as much as the next security nerd, but calling this "shocking" and speculating on how it could facilitate terrorism is a little bit extra."

Well, while I'm draining your bank and credit lines to fund weapons purchases and false identification, you keep thinking terrorists aren't going to get this info and use it.

Re:Part of this is because of US Export Restrictio (1)

certain death (947081) | more than 2 years ago | (#39011755)

Yet another perfect example of something being a little hard to do, so security is just pushed to the side in order to ship a POS application. SDLC is around for a reason, just because it is a "free" or "consumer" application doesn't mean all security should be given up on. damn!

Re:Part of this is because of US Export Restrictio (3, Informative)

Bogtha (906264) | more than 2 years ago | (#39012727)

Chiming in here to agree with spac.

This is another annoying grey area with Apple's rules. When you submit an app to the App Store, it asks you if you use encryption, and if you do, you have to have an export license from the USA government. I don't believe there's anything that specifically addresses SSL/TLS in Apple's documentation. If you contact Apple, they usually tell you that you need a license for it, even if you use the features built into iOS. If you don't contact Apple and say that you don't use encryption, sometimes you can get through the approval process. I think it's a case of the Apple employees who you contact playing it safe while reviewers can be a bit sloppy.

I've personally been involved with an app that transmits personal information including GPS coordinates, names and telephone numbers, and it does so without using SSL/TLS for precisely this reason - the company wanted to release as quickly as possible without waiting to get an export license. I didn't like that, but unfortunately, the decision was out of my hands.

I think the best thing Apple could do, assuming that there is no way around the law, is to make it more clear to developers that this is required in their rules, to automatically scan apps for SSL/TLS use to reject apps without a license consistently, and to reject apps that don't use SSL/TLS to transmit personal information.

No good deed... (1)

DigitalGodBoy (142596) | more than 2 years ago | (#39011469)

You realize that you're about to be sued into oblivion right?

Review process (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#39011481)

You must be mistaken. Apple's app review process means that it's unpossible for an iOS app to do anything bad.

Re:Review process (1)

Skapare (16644) | more than 2 years ago | (#39011629)

You must be mistaken. Apple's app review process means that it's unpossible for an iOS app to do anything bad.

Just imagine how much damage Southwest could really do if they made an Android app.

Oh wait ... they did [southwest.com]

Re:Review process (-1)

Anonymous Coward | more than 2 years ago | (#39012891)

Wipe the cum off your lips, only faggots try that line of attack.

Secret lists (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#39011483)

Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list.

And if you are wrongfully on such a secret list? Then what?

Or are you saying that there are tons of terrorists in the US, but we don't need to worry about them because they are on the "no fly list"?? Or perhaps such a "no fly list" is simply used as means of trampling on constitutional rights of people to travel because such people are simply inconvenient.

http://www.boston.com/news/politics/us_senate/articles/2004/08/20/no_fly_list_almost_grounded_kennedy_he_tells_hearing/ [boston.com]

Re:Secret lists (0, Troll)

Ethanol-fueled (1125189) | more than 2 years ago | (#39011569)

It's a shame you were modded down. Although I wasn't going to rant about the DHS like you did, I wanted to scold the submitter for including this line in his submission:

Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped

Oh, please. Fuck off with the fearmongering. Even the DHS knows that the threat of terrorism is a bunch of bullshit.

Re:Secret lists (4, Informative)

tqk (413719) | more than 2 years ago | (#39012983)

Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped

Oh, please. Fuck off with the fearmongering. Even the DHS knows that the threat of terrorism is a bunch of bullshit.

Not to mention the fact that the TSA has never stopped anything. Quadrupled boarding times, humiliated grannies, scared children, yes, but stopped anything? Oh wait, Ted Kennedy and Rand Paul. "Brillant!" [sic]

Re:Secret lists (0)

Anonymous Coward | more than 2 years ago | (#39011583)

Or perhaps someone wrongly on the no-fly list won't be wouldn't also be the same to eavesdrop on a connection to steal credentials. Just a guess.

Re:Secret lists (1)

tibit (1762298) | more than 2 years ago | (#39011837)

This whole argument is a dud. One can trivially make up their own boarding passes, there's no need to even have an internet connection for that, just an example to look at and copy from.

electronic cash and records (1)

harvey the nerd (582806) | more than 2 years ago | (#39011485)

This is so reassuring when state and Federal governments are so busy forcing us to use electronic cash. One day some hackers or a rogue nuke are going to scramble the system.

New Slogan? (4, Funny)

A10Mechanic (1056868) | more than 2 years ago | (#39011545)

You are now free to have your identity stolen

Re:New Slogan? (1)

Skapare (16644) | more than 2 years ago | (#39011695)

I also like: Angry Apps

Re:New Slogan? (1)

Garble Snarky (715674) | more than 2 years ago | (#39012163)

Your identity is now free to move about the internet

Re:New Slogan? (1)

jd2112 (1535857) | more than 2 years ago | (#39012725)

The good news is that you now have a few million frequent flyer miles...

What about the review process. (4, Insightful)

mr_lizard13 (882373) | more than 2 years ago | (#39011547)

Strictly from a non-technical, user's point of view, this stuff shouldn't happen precicely because of the app review process. That screening process is supposed to give the user the confidence that the app is going to be a good actor, and not do a bunch of stuff its not supposed to. It essentially tells the user "trust Apple to keep a look out for you".

I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.

Re:What about the review process. (4, Insightful)

Ethanol-fueled (1125189) | more than 2 years ago | (#39011611)

The app review process is about making sure the application conforms to Apple's prettiness standards and is free of sex, controversy, or 4-letter words.

Re:What about the review process. (2, Funny)

Anonymous Coward | more than 2 years ago | (#39011651)

SAFE is a 4 letter word which they seem to exclude from apps.

Re:What about the review process. (4, Insightful)

mr_lizard13 (882373) | more than 2 years ago | (#39012083)

We both understand that, because we both take more of an interest in this stuff than the average joe.

But from the non technical user's POV, they trust Apple to look out for them. They see the app right there in the store, and rightly make an assumption that Apple have made all the neccessary checks of that app to ensure the user is kept out of harms way.

The curated environment Apple has crafted gives the impression of safety, security and trustworthiness. Incidents like this make people question that trust.

Re:What about the review process. (1)

Jah-Wren Ryel (80510) | more than 2 years ago | (#39012109)

I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.

FWIW, Bruce Schneier has said, on multiple occasions, that he doubts that Apple's "walled garden" approach will do anything much to improve computer security. I think this is one good illustration of why he's probably right.

Re:What about the review process. (1)

Culture20 (968837) | more than 2 years ago | (#39012719)

If anything, it worsens user security by domesticating people.

Re:What about the review process. (1)

arkane1234 (457605) | more than 2 years ago | (#39012923)

If anything, it worsens user security by retraining people.

There, FTFY.

Re:What about the review process. (1)

tqk (413719) | more than 2 years ago | (#39013093)

Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.

I wonder how people who do this sort of thing got the job in the first place.

WTF?!? Why are people like this even being hired?!? Is SouthWest's management really this ignorant? How the !@#$ did they get their jobs?!? How do their planes even take off if this is the sort of thinking they do in that company?

"Eh, that's just IT, and IT's just a "cost centre"." Gaaahhd!

Is it actually practical? (1)

mehrotra.akash (1539473) | more than 2 years ago | (#39011565)

When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it.

Wouldnt it be quite difficult to sniff data from a GSM network?

Re:Is it actually practical? (1)

THE_WELL_HUNG_OYSTER (2473494) | more than 2 years ago | (#39011633)

iPhones connect using WiFi, too.

Re:Is it actually practical? (1)

Anonymous Coward | more than 2 years ago | (#39011719)

Yes, intercepting data over a 3G network is difficult, but not too difficult [computerweekly.com] . The scenario of the free and unencrypted WiFi at the Denver airport is a totally different matter as firesheep [wikipedia.org] demonstrated time ago.

Re:Is it actually practical? (0)

Anonymous Coward | more than 2 years ago | (#39012345)

yes, but if you rtfs, it's quite trivial to sniff it from the wifi

why make this public? (0)

Anonymous Coward | more than 2 years ago | (#39011587)

The OP informed the company of the vulnerability, which is the correct way to do.
For some reason the company doesn't update the app which is not good.
I think however OP should not make the specifics public afterwards.

Re:why make this public? (4, Insightful)

Khyber (864651) | more than 2 years ago | (#39011865)

Why make it public?

Because people using this app should know, since the company behind the app isn't doing shit to remedy what could be a serious problem.

Re:why make this public? (2)

ganjadude (952775) | more than 2 years ago | (#39011867)

why not? Step one was tell the company, the company decided to not update the application which is a goldmine for hackers. He than has 2 options
prove it, by going to denver and stealing the information and seeing how far he can take it.

he can make it public, and by doing so southwest has 2 options, fix it and save face

face a lot of angry passengers as the script kiddies move in to start stealing information

Re:why make this public? (1)

tqk (413719) | more than 2 years ago | (#39013173)

The OP informed the company of the vulnerability, which is the correct way to do.
For some reason the company doesn't update the app which is not good.
I think however OP should not make the specifics public afterwards.

I don't think he owes SouthWest anything. He's already given away for free valuable research into their app's security implications for their customers.

If they don't care enough about their own customers to do anything about it, that's up to SouthWest, and their customers deserve to be informed about that fact. I hope some jerk's hacking one of their customers right now, and we'll soon hear SouthWest's being sued into oblivion.

Amateurs (1)

gweihir (88907) | more than 2 years ago | (#39011613)

By now something like this is obviously grossly negligent and should have drastic negative legal ramifications for them. The time where you do this the elCheapo way is past.

this isnt new (2)

rawko (528213) | more than 2 years ago | (#39011627)

a ton of programs and websites transmit your stuff in clear text. this isnt new.

Re:this isnt new (1)

Skapare (16644) | more than 2 years ago | (#39011803)

But not so many of them involve transmitting credentials for serious-in-real-life accounts.

Re:this isnt new (5, Funny)

Anonymous Coward | more than 2 years ago | (#39012419)

Yeah, I know. Look at all the people using my credentials to log into Slashdot. And I get the blame for all the stupid 'In Soviet Russia' crap.

Re:this isnt new (1)

arkane1234 (457605) | more than 2 years ago | (#39013129)

My god, if I could mod this up I so would haha

hackers dream! (2, Funny)

Anonymous Coward | more than 2 years ago | (#39011649)

>> This situation is a hackers dream!

No, not really. A hackers dream usually involves a game of Global Thermonuclear War or a nice game of Chess.

Re:hackers dream! (1)

CurryCamel (2265886) | more than 2 years ago | (#39012047)

He really wrote "hackers dream"??
I stopped reading at "leaves a user's information vulnerable to hackers".

I don't even know what the current politically correct phrase is for people with skin two shades darker than mine (no, I don't live in the USA). Yet terms "hacker" and "nerd" are kosher. I just don't grok that country.

Re:hackers dream! (0)

jo_ham (604554) | more than 2 years ago | (#39012377)

I stopped reading due to his clear lack of ability regarding the possessive apostrophe... oh wait, this is on slashdot were speling and grammer dont mater at al.

They just don't give a shit (2)

THE_WELL_HUNG_OYSTER (2473494) | more than 2 years ago | (#39011653)

There is no economic incentive for them to build security into the app. Until we have mandatory fines for shit like this, it means nothing.

Re:They just don't give a shit (1)

cryfreedomlove (929828) | more than 2 years ago | (#39012061)

There is no economic incentive for them to build security into the app. Until we have mandatory fines for shit like this, it means nothing.

Mandatory fines? Issued by whom? We don't need some new governmental agency for this. The free market is already working. The consumers are in control. This story is now getting out and Southwest will be forced to do the right thing to quell the outrage that is starting to hit them.

WTF?!? (0)

Anonymous Coward | more than 2 years ago | (#39011663)

How am I going to fly for free now? Dick!

Re:WTF?!? (1)

Skapare (16644) | more than 2 years ago | (#39011825)

Yeah, like that's going to happen. Anonymous Coward is surely already on the no fly list. And besides, we couldn't live without your tens of thousands per day of Slashdot posts.

Why isn't there an APP for THAT?! (1)

manual_tranny (2566083) | more than 2 years ago | (#39011703)

Let's be honest! Most people are going to find that they have a phone security problem through the news, through becoming a victim, or not at all! We need an app written by this University of Colorado - Colorado Springs Student that checks the security of our phone and other apps on a regular basis. There's a real possibility for a successful business here. I hope that I will be buying a security APP in the near future!! Keep up the good work, anonymous UoC student!!

It's Simple Really... (2)

wbr1 (2538558) | more than 2 years ago | (#39011745)

Southwest needs to recoup money lost from free checked bags, so they will now start to charge you to keep your data secure. The board meeting where they decided this was a doozy.

Thank goodness for the TSA! (0, Troll)

Black Cardinal (19996) | more than 2 years ago | (#39011809)

They could even book a flight in the victims name.

That's OK, the TSA's security is so good that the crackers could never actually do anything with the false booking.

That's nothing. Evernote syncs in the clear! (4, Interesting)

Anonymous Coward | more than 2 years ago | (#39011813)

That's nothing. The very popular note taking app Evernote syncs in the clear.

I was going to use it to store my big list of passwords, bank account numbers, etc. Lucky for me, I checked it out using Wireshark - it syncs everything in the clear! Anybody on the WiFi network with a packet sniffer can see all your stuff!

I posted about this on by blog way back in 2009... http://nerdfever.com/?p=311

Interesting but... (1)

MC68040 (462186) | more than 2 years ago | (#39011853)

At least to me, the way this post comes across is a bit.. attention seeking?

Ok, while sending your data unencrypted (and this is apparently the worst thing he found looking at 230+ apps.. I am surprised none of these apps store credentials unencrypted on the phones, etc?), we are looking at a few more hurdles than just getting a fake id.

Especially if you consider international flights, if you can get a hold of a passport that checks out in customs _and_ in the name of the southwest account holders name, then the ticket part should be doable too

not surprising but... (0)

Anonymous Coward | more than 2 years ago | (#39012041)

I've looked at several apps, and security has been an afterthought in many. Look at how many apps actually USE the authentication. I've found a number of vulnerable web services used by iOS apps which an attacker can bypass auth all together.

Neither does southwest.com (2)

MyFirstNameIsPaul (1552283) | more than 2 years ago | (#39012063)

The only portion they encrypt is when you're entering your credit card number.

And this matters why? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39012143)

Oddly enough, I remember discussing web and credit card security with southwest back in the early 94-95...
My boss at the time told me to drop it, after he took them to dinner... told me a great story about it:

After discussing the issue over dinner, I dropped my credit card on the table to pay. The Southwest guy asked me "Do you know what you just did?"
I replied "I'm paying for our dinner!"
Southwest guy chuckles and said "you just handed your credit card to a 19 year old girl who probably has a crack head biker boyfriend waiting behind the restaurant to take your credit card number. Do you feel at risk?"
Boss man chuckles and said "not really, no"
Credit card companies take the heat when you expose CC info.

Not saying Southwest is right here, but there are security risks and business risks. If southwest thinks soaking the credit card companies vs spending money on something that isn't going to be on them in the first place makes sense, thats what they are going to do, and all the scary security talk in the world isn't going to change that.
Besides, evaluating an app isn't the same as looking at the entire process behind what goes on behind the curtain. Maybe the app is insecure with your account login info, but what does that actually get you if you log in as someone else? Your going to buy tickets under someone else's name, and not be able to use them because faking your ID to get on a plane now brings you to the attention of home land security ?
IMHO, app security will always be a joke, because it's an app. If your going to assume it's used in an uncontrolled environment, it shouldn't have access to sensitive information in the first place. So, not an 'app' issue, so much as poorly conceived workflow and architecture issue.

Re:And this matters why? (0)

Anonymous Coward | more than 2 years ago | (#39013393)

I love the counter-point, but have a few nitpicks.

Saying that it's not an app issue isn't... really saying anything at all? We have to pick some sort of target.

If my boss tells me that I need to deal with the mess at my workbench, I don't tell him that it's "not a workbench issue, it's more of a my-commitment-to-my-job-issue". I'm just sort of describing it differently. The APP has workflow issues. And we're using the APP to point out that these issues exist. We're not necessarily saying that Southwest has an overarching policy of putting as much customer data out into the open as possible. We're saying there's a flaw, with the app.

The app has a unique ability to obfuscate how data is managed. When we have a paper form, and we have to fill it out and submit it to another human being, we can basically see the entire process. We witness the exchange of information between all parties, we know what data is and isn't being transmitted, and we're involved the entire way (oversimplification, as the CC is still going to be swiped, etc, but you get the idea). With an app, we submit data, and that's it. We're now divorced from the process and have to hope it works, and works within reasonable security considerations, because we have no real method of knowing how that data is going to be handled once it leaves your control.

Saying that app security will always be a joke because it's an app... I don't see why that needs to be true. Software is just a replacement for a tangible process. Just because the implementation sucks doesn't mean that it can't be great. It's just much, much less accessible for the layperson to audit. I'm an IT technician and I'd have real difficulty making a proper assessment of any of the applications I use regarding security.

We blame the app because it's the most easily abused attack vector.

HOWEVER, I think your post serves well to illustrate that we need to demonstrate the same diligence with "apps" as we extend to real world interactions. If I am provided with a method to prevent my airline account credentials from being intercepted while filling out a web application, an equivalent app should certainly be expected to provide the same level of security.

Only idiot Terrorists get caught (3, Funny)

qualityassurancedept (2469696) | more than 2 years ago | (#39012183)

If a "hacker" can log in to your airline account and book a flight in your name, then all they need is to present a fake drivers license in your name to take the flight... and so once again we see that the TSA is actually only a ludicrous theatrical production being staged in Airports nationwide. Thanks for nothing.

Re:Only idiot Terrorists get caught (1)

Anonymous Coward | more than 2 years ago | (#39012729)

If a "hacker" can log in to your airline account and book a flight in your name, then all they need is to present a fake drivers license in your name to take the flight... and so once again we see that the TSA is actually only a ludicrous theatrical production being staged in Airports nationwide. Thanks for nothing.

Fake driver's license? Screw that. All they need is a fake boarding pass with their real name on it. Then they pull out the real boarding pass in your name and get on the flight.

Are 3G networks encrypted? (1)

wisebabo (638845) | more than 2 years ago | (#39012215)

Many people will be using their mobile devices (I'm assuming these vulnerabilites aren't secific to iOS) on 3G even if there is a wifi network because it's cheaper, more reliable, just plain lazy or don't know there is wifi present.

So is 3G well encrypted? Or are there a lack of 3G scanning tools?

Leave it to the airlines (0)

Anonymous Coward | more than 2 years ago | (#39012299)

They used antiquated hardware for about 3 decades too long and now they seem to have overlooked another major issue. No security in the information age? That's not going to work very well. At least put some layers of defense in there so a potential hacker would have to put in work to get in.

Pandora (1)

Anonymous Coward | more than 2 years ago | (#39012819)

This kind of sloppiness is really quite common. Go try to upgrade you trial Pandora account to a paid Pandora One account in a normal desktop browser. Before you put your credit card number in, look for the SSL lock. Oh, wait, it's not there... *sigh*

Re:Pandora (1)

arkane1234 (457605) | more than 2 years ago | (#39013249)

It's surprising how many merchants on the net are like that. Quite a few times I've caught businesses not using SSL encryption during credit card transactions. It's disturbing...

Re:Pandora (1)

Mateorabi (108522) | more than 2 years ago | (#39013433)

Surprised the CC companies don't offer bounties/rewards for people who find this and report it to the CC company so they can slap the merchant or shut of card processing to them. It is the CC company taking the hit.

http://www.vml.com/clients/southwest-airlines (0)

Anonymous Coward | more than 2 years ago | (#39013219)

Southwest Airlines iPhone App

Challenge

Southwest Airlines meets the iPhone. The airline with hardcore fans wanted to establish its presence on the mobile device with a hardcore following. In addition to delivering the creative interface for the app itself, the mission was to bring travelers a best-in-class experience.
Idea

The Southwest iPhone App gave customers the freedom to check in 24 hours before takeoff, receive the latest flight updates right at their fingertips and get DING! deals no matter where they are. Want to log in to your Rapid Rewards account? No problem.
Results

The Southwest iPhone App was an instant hit — rising to No. 4 in the iTunes store within the travel category.

Always Wondered About App Encryption Levels (1)

Apple Acolyte (517892) | more than 2 years ago | (#39013463)

Soon after the iOS App Store debuted and apps became the latest tech fad, I wondered about encryption standards in apps. I always felt a bit weird about logging in to places remotely using apps, wondering to what extent encryption wasn't being used. I'm glad the research was done and that on the plus side only one app was found to be sending logins out in clear. I haven't flown Southwest in years and won't in the future - I've upgraded my standards, up yours! As others have pointed out, any commercial app that handles logins shouldn't be approved if it's not using encryption. And Apple, Google, Microsoft and other app store vendors should lobby to change the stupid, outdated federal dictate that hampers encryption. At best what could that export restriction possibly do in the government's favor? It's not like it's going to prevent any criminals/terrorists/evil-doers from using the software they want to use, right?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?