skip to Main Content

As holiday mobile commerce breaks records, retail apps flaunt red safety flags

Driven by the pandemic, many consumers rely on mobile apps to purchase everything from daily essentials to holiday gifts. However, according to recent analysis, there are alarming security concerns among some of the top 50 best Android retail mobile apps.

Mobile retail apps lack basic security features

Most of the top 50 mobile retail apps analyzed in September 2020 were not applying enough code hardening and runtime app self-protection (GRATED) techniques.

These security techniques protect the application against tampering or copying and distribution by a malicious third party as bogus applications. Competitors can also exploit a lack of code hardening to execute technical or business denial of service attacks, making the mobile app difficult for customers to use. Or they can create competitive third-party aggregators that weaken the brand and result in lost revenue.

Almost all analytics applications have failed to master basic application hardening techniques. These included code hardening techniques such as name obfuscation, which hides identifiers in application code to prevent hackers from reverse engineering and analyzing source code. Additionally, encryption techniques such as string, asset / resource, and class encryption prevent malicious actors from gaining insight into sensitive information, assets, or internal application logic.

Application hardening also includes RASP techniques such as root / jailbreak and emulator detection, which indicate when an attacker attempts to bypass application sandboxes and take untrusted actions. Almost a quarter of applications were not protected at all in these areas. Without adequate protection, mobile retail apps could be tampered with or even copied and turned into “bogus apps”. Fake retail apps are particularly risky because they can capture sensitive personally identifiable information (PII) buyers, such as names, credit card numbers, addresses, etc.

Consumers should be on the lookout for fake mobile apps

With the massive increase in mobile commerce, consumers should be on the lookout for telltale signs of bogus mobile apps. There are several ways to spot these applications in the wild.

First of all, consumers should never download an app from an unofficial app store or app marketplace, as many malicious actors distribute their apps in this way. Many use legitimate-looking social engineering attacks to trick users into downloading their apps.

Other signs may include anomalies such as an insufficient number of reviews, or a flood of “five star” reviews with no context, inaccurate or misspelled publisher information, or a recent publication date (relative to to a recently updated version for a legitimate application). Additionally, bogus apps can include phrases such as “Black Friday” in the title to get more attention from consumers.

Finally, even if most bogus apps are illegitimately distributed, some are still hiding in official app marketplaces. Even though Apple and Google make concerted efforts to identify and remove bogus apps, some apps that contain malware can bypass app store protections by masking suspicious activity through geolocation and other tactics. The best things consumers can do are check reviews, be aware of anomalies, and avoid apps or communications from even slightly suspicious brands.

Bottom Line: Mobile Application Security Starts With Developers

Fortunately, retail mobile app developers have the ability to address potential brand damage and lost revenue using the basic app building techniques outlined above. A hardened app is a much less attractive target for a malicious actor, and therefore a more secure app for consumers.

Unfortunately, security analysis shows that many retailers are still saving money in these areas, often because competitive pressures demand faster time to market. For example, the analysis included apps from bankrupt retailers, and unfortunately all of those apps deployed even less security protections than their non-bankrupt counterparts. In fact, 43% of apps in the bankruptcy category had no app hardening protection in place, compared to 22% overall.

While security may require initial efforts on the part of developers, security by design can dramatically reduce incidents (and their potentially devastating consequences) for the brand or its consumers. With screen time and mobile shopping behavior at an all time high, the attention to these app strengthening techniques couldn’t come quickly enough.

Source link

Back To Top