November 25 2016 update at the end of the article. TL;DR the service is still vulnerable.
Since I traveled a lot in the past, I am always looking for new tech to make travel simpler,. easier or more enjoyable. Since smartphones are indispensable travel tools, I was very excited when SkyRoam was released and wrote several articles about it.
But as a security guy, there is a hidden danger that I wanted to share with my audience. The danger is present even before you take your first trip and is related to how to you add day-passes to your account.
When you visit their portal, you are greeted with this login page
Notice that the page you are on is not encrypted
This means that anyone can easily intercept your username/password as you type it in.
The page does not even temporarily switch to encrypted during the login. Everything stays plain text. This is completely unacceptable on a modern web where WIFI attacks are easy and fast. Certificates to encrypt the connection are cheap and readily available (even free with services like LetsEncrypt) . So companies have no excuse not to encrypt the connection: its either incompetence or a complete disregard for the security of their users (in my opinion).
I recommend you go in and delete your default payment info on file. To do this, click on the Account tab and then choose payment options and delete it.
I have daypasses which I will consume but wont add any more due to their lax stance regarding security, particularly the security of my credit card and login information. Even the credit card entry page is not protected.
This is pretty bad and I'm not sure how Visa and Mastercard aren't intervening. To be transparent, I have tweeted this issue multiple times over the last 3 months. When I didn't receive a response, I called their helpdesk 3 weeks ago and told the agent to open a ticket. When I did not receive a confirmation email (about a ticket being opened), I opened another ticket myself with a screenshot and clear description a week ago. I never received a response and the issue was never fixed.
Look for alternatives
I am anxiously waiting for the arrival of the GeeFi global hotspot which is expected to provide LTE service for $9.99 with unlimited bandwidth. Based on everything I have read, I am relatively sure GeeFi will take better security precautions and will be a better custodian for my confidential information.
November 25 2016 UPDATE
Some people messaged me that the site was protected so let me check
The login page is still unencrypted
Main account page still unencryped
When you visit the page to add a credit card, they show a lock logo while its loading
but that entire page is unencrypted
Even though someone from SkyRoam promised the issue would be resolved (9 days ago), it is still unprotected and I therefore I would still urge caution.