As holiday mobile commerce breaks records, retail apps display security red flags

Driven by the pandemic, many consumers rely on mobile apps to buy everything from daily essentials to holiday gifts. However, according to a recent analysis, there are some alarming security concerns among some of the top 50 Android retail mobile apps.

Retail mobile apps are missing basic security functionality

Most of the top 50 retail mobile applications analyzed in September 2020 did not apply sufficient code hardening and runtime application self-protection (RASP) techniques.

These security techniques protect the application against tampering or being copied and distributed by a malicious third party as fake apps. Competitors can also exploit a lack of code hardening to execute business or technical denial of service attacks, making the mobile app difficult for customers to use. Or they can create competitive third-party aggregators that weaken the brand and lead to a loss in revenue.

Nearly all of the applications in the analysis fell short across basic application hardening techniques. These included code hardening techniques such as name obfuscation, which hides identifiers in the application’s code to prevent hackers from reverse engineering and analyzing source code. In addition, encryption techniques such as string, asset/resource, and class encryption prevent malicious actors from gaining insight into sensitive information, assets, or the internal logic of applications.

Application hardening also includes RASP techniques such as root/jailbreak and emulator detection, which shows when an attacker is attempting to bypass application sandboxes and conduct unapproved actions. Nearly a quarter of apps were completely unprotected in these areas. Without adequate protection, retail mobile apps could be tampered with or even copied and turned into “fake apps.” Fake retail apps are especially risky because they can capture sensitive personally identifiable information (PII) from shoppers, such as names, credit card numbers, addresses, and more.

Consumers must be on the lookout for fake mobile apps

With the massive rise in mobile commerce, consumers must be on the lookout for telltale signs of fake mobile apps. There are a few ways to spot these apps in the wild.

First and foremost, consumers should never download an application from an unofficial app store or app marketplace, as many malicious actors distribute their apps in this way. Many use legitimate-looking social engineering attacks to trick users into downloading their applications.

Other signs may include anomalies such as not enough reviews, or a flood of “five star” reviews without context, inaccurate or misspelled publisher info, or a recently published date (vs. a recently updated version for a legitimate app). In addition, fake apps may include expressions such as “Black Friday” in the title to attract more consumer attention.

Finally, even though most fake apps are distributed illegitimately, some are still hiding out on official app marketplaces. Even though Apple and Google make concerted efforts to identify and remove fake apps, some malware-ridden apps may bypass app stores’ protections by masking suspicious activity through geofencing and other tactics. The best things consumers can do are to check reviews, be aware of anomalies, and avoid even slightly suspicious-looking apps or communications from brands.

Key takeaway: Mobile app security starts with developers

Luckily, retail mobile app developers have the ability to address potential brand damage and revenue loss using the basic application hardening techniques described above. A hardened app is a much less attractive target to a malicious actor, and therefore a safer app for consumers to use.

Unfortunately, the security analysis shows that many retailers still cut corners in these areas, often because competitive pressures demand faster time-to-market. For example, the analysis included apps from retailers in bankruptcy, and unfortunately all of these apps deployed even fewer security protections than their counterparts that were not in bankruptcy. In fact, 43% of the apps in the bankruptcy category had no application hardening protections in place, compared to 22% overall.

While security can require some upfront effort from developers, security by design can dramatically reduce incidents (and their potentially devastating consequences) from occurring to the brand or its consumers. With screen time and mobile purchasing behavior at an all-time high, attention to these application hardening techniques couldn’t come quickly enough.