We're Hiring!

The Risks & Rewards of Travel by Mobile


Travel booking app concept; smartphone with travel related objects on top


After a couple of false starts, we are finally emerging from behind the shadow of the Covid pandemic. Some businesses prospered explosively during it as people suddenly needed to access key services remotely, such as the fintech and healthcare sectors; others were forced to deal with an almost instant switch-off of commercial activity, for example the travel and tourism markets. In this article we will look at the travel sector and anticipate what kinds of security challenges might lie ahead as the market evolves and recovers.

How bad was it?

The simple truth is that it was really bad. In a January 2022 assessment of the impact of Covid-19 on the travel and tourism market, the United Nations World Tourism Organization published a very dramatic report which highlighted the scale of the problem:

UNWTO chart showing tourist number and revenue 2000-2021The report documented that 2021 delivered a small increase over 2020 but that 2022 should be the first year of real recovery, a view shared by 58% of the experts consulted for the report. That said, 64% of those experts also didn’t expect travel revenues to return to their pre-pandemic (2019) levels until 2024. 

So, it seems reasonable to predict a good bounceback in the sector. However, it is also important to recognise the pandemic as a significant discontinuity in the structure of the travel market - when it returns to its former revenue level it will certainly look quite different compared to 2019, with new and emerging travel providers, offerings and business models.

What might the recovery bring?

In order to understand what the sector might look like as it recovers from the pandemic induced shock, it makes sense to consider what happens when a significant discontinuity hits a mature market in the 21st century. Some or all of the following effects will be seen:

  • New Business Opportunities. Companies already in the market as well as those in adjacent sectors will thrive if they view the immediate challenge as an opportunity to adapt and expand their businesses during the recovery period. 
  • New Companies Emerge. New companies will emerge, hoping to capitalise on changing business conditions, market methods and customer attitudes. Incumbent businesses should pay closer attention to these emerging players and ensure that their approach to the market is flexible and open to new ideas.
  • New Marketing Tactics. Consumer confidence is always hurt by significant events like a pandemic, and the industry will need to address those concerns. Post-pandemic and energy cost inflationary pressure on consumer spending will also have an effect. In addition to educating consumers about the risks of travel, operators will need to approach rewards schemes, aggressive promotions and pricing with fresh eyes.

We can also learn something from what we have seen in other sectors during the recovery, in particular high street retail. While most retailers have seen revenue levels staying flat or increasing, they have experienced a dramatic shift from in-person shopping to online transactions, particularly through the use of mobile apps. This evolution has focused customers’ attention on the mobile experience and has also allowed new or emerging players to compete on the level playing field that is the app store.

There's no doubt that the travel sector will see accelerated use of mobile and this should be embraced by businesses in order to match the user experience now expected by consumers. Ticketing, discount cards and rewards schemes must be highly optimized for mobile and must deliver slick and modern experiences for customers. This was happening anyway of course, but it is much more urgent now in order for brands to remain relevant and vibrant in the eyes of their customers. After 2 years of not travelling, all regular habits and loyalties are broken and that includes the selection of travel service providers.

Another aspect of digital markets which is particularly relevant to the travel sector is the existence of aggregators, companies who bring together service providers in order to present a one-stop shop for consumers. In the past this was mainly a web based phenomenon and was restricted to single strands of the travel sector such as hotels and train tickets. 

However, aggregators are much more sophisticated now and much more mobile centric too, offering end-to-end travel solutions to consumers, delivering customized options based on their individual preferences. As the travel sector recovers, threats from aggregators and other agile travel operators are likely to be the main new digital challenges with which incumbents will have to contend.

What are the security implications?

It will be no surprise that hackers and fraudsters have not been idle during the pandemic, after all most of them were already working from home. Seriously though, attackers are always on the lookout for sensitive information they can extract/intercept, or business models they can game. Let’s look at two ways hackers can find the information they need to plan and exploit an attack against a travel business.

  • Your APIs are endpoints on the Internet and even if you don’t publicize their existence and location, they can easily be found. Probing APIs and looking at responses can provide attackers with vital clues into how to access your services, as can intercepting API traffic coming into your backend infrastructure from genuine remote web and mobile clients.
  • Your mobile apps are downloadable from the app stores by anyone, and can be studied for as long as the hackers need in order to understand the link between actions in the app and the API requests/responses. Further, keys and other secrets may be extractable from the app or interceptable on the API. Either way, the mobile app is a treasure trove of insight into your business logic and communication protocols - everything a hacker would need to mess up your business.

In addition, aggregators may be friends or enemies to your business, depending on how well you retain control of the data you share with them. It is better to acknowledge and work with them rather than let them expose your data in undesirable ways and places. Our customer case study with Sixt explores this in more detail in the context of car sharing. 

Therefore, as the sector recovers and the consequences of the huge discontinuity in the travel sector plays out, hackers will be probing, experimenting and executing attacks against businesses who do not adopt security best practices.

What steps should travel companies take now?

The good news is that appropriate best practices do exist which can quickly be implemented and make a real difference. Here are three immediate recommendations:

  • Protect Your API Keys. Even though your API keys may need to be stored in your mobile app, ensure that they can't be used outside the context of your mobile app, for example by requiring that a second factor be present alongside the API key. More here.
  • Pin Your APIs. Certificate pinning (TLS) is not adopted by all companies because of concerns about getting the implementation right or having to update certificates in the app once it is deployed. Dynamic certificate pinning solutions exist which make the setup and management of this critical capability easy. More here.
  • Shield Your APIs. Scripts which impersonate your mobile app will be the most common attack vector against your APIs and backend services because they are simple for hackers to create and deploy. It is vital to block these scripts and you can do that by ensuring only genuine instances of your mobile app, running on safe mobile devices, can use your API. More here.

Securing mobile apps and the APIs that service them in a holistic, effective and efficient way is a challenge but is not uncharted territory. In a rapidly evolving travel and tourism market, business opportunities will be there to capitalize on and the last thing any operator needs is to be hampered by security issues during this critical time.

Therefore, now is the time to review and enhance security arrangements for travel apps and APIs. To talk to us about your use cases and have a security expert explain where and how Approov can help, you can schedule a call with us here.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.