Airtel PVR Mobile Ticketing Application – Unsafe?

A few months back, Airtel in association with PVR Cinemas had brought out the Airtel PVR Mobile Ticketing App for allowing Airtel users to view schedules and book tickets using their cellphone. I’ve been using this for some time, and I must admit that it’s pretty useful. One GPRS stream later, I’ve got the data a want. Before I continue on the main topic, a short review…

My rating of the Airtel PVR Mobile Ticketing Application: 6 / 10
The Airtel PVR Mobile Ticketing Application is a pretty useful tool for keeping yourself updated with movie info. For English movies at least, you can read the the official publicity blurb. The movie info thing never has any synopsis to show for Hindi movies. And it does pretty funny things at times. Say, if there’s a really bad movie, say like, Primeval, then it doesn’t show any movie info, except for genre which is invariably given as ‘3D’, language as ‘Bangla’ (I can visualize Satyajit rolling around fitfully in his grave), and 2-3 members of the cast under ‘Synopsis’. Also, although on the date list they present you options for 7 days, in reality you can only book 3 days in advance. That’s it. Want to book a Friday premiere on Wednesday? Why bother, PVR thinks. Because you can’t. And of course, it’s insecure.

All very good, I say, allow people to browse and buy tickets easily. What I hate about it (and I know this for a long time – noticed it pretty early) is that the connection over which your credit card details are sent is INSECURE. Yes folks, if on the payment page on your app you look carefully at screen which allows you to enter you credit card number, your phone will show an insecure connection sign.

All this very bad, but you know what’s worse? Airtel / PVR is trying to con everyone into thinking otherwise. If you look at the app’s FAQ section, under Security, it claims ‘Yes, the payment transaction is secured using HTTPS and PKI, similar to you PC browser’. On your computer when you make a transaction, whenever there’s a secure connection what happens is that your data is encrypted before being sent out, so that even if it is intercepted it is basically useless for the thief. When you go to the payment page on the PVR app though, what it does is that it puts an image file of a lock at the top right corner of the screen to make you think that the connection is secure. But if you look at the phone’s own icon, it will show an insecure connection, with an unlocked symbol. This means that all the data, including your card number and the CVV number are simply sent as number which if intercepted only needs to be opened in a text editor to be read, and then misused.

My point is that yes, it’s a far shot that anyone will be sitting under that tree outside your window with high tech equipment to read the plaintext data your phone is transferring, but the point is that your data IS insecure. Theoretically, one could simply siphon off the data at the Airtel end of the connection simply because it’s not encrypted. And over that, Airtel / PVR are lying about how secure the application is too. These companies always talk of following ‘world class standards’ et al, and yet they resort to things like these. Airtel and PVR should take greater care of such financial details of their customers, for their own good, and for instilling confidence in e-commerce in general.

Disclaimer: This post only discusses a possible flaw which may or may not exist. Maybe the test phone had a problem, or HTTPS isn’t supported in India because we don’t get a security module. Use and interpret this information on your own. My phone didn’t show a secure connection, that’s all I want to say.