The pandemic has forced consumers to turn to mobile retail apps as the safest way for holiday shopping. But cybercriminals are targeting these apps as never before, and retailers should take decisive steps now to ensure app security. Here, Prateek Panda, Director at Intertrust Technologies, says it’s time to go beyond stopgap measures and take concrete steps to secure shopping apps this holiday season.Â
 The COVID-19 crisis has changed the way people live and work and how companies do business. Nowhere is this more apparent than in retail, where lockdowns and social distancing have amplified the shift towards online shopping.Â
For some companies, this has been a boon. Revenue for e-commerce sites like Amazon, and brick-and-mortar stores with a strong online presence, such as Target and Home Depot, have been fueledOpens a new window by a 30% increase in online sales in the first half of this year. During the holidays, this trend is expected to surge 33% over last year to a recordOpens a new window $189 billion. Â
Cybercriminals Target Shopping Apps
Nearly half of holiday shopping is expected to be done on mobile devices this year. This has caused a scramble to bring a new or updated app to market before Black Friday and Cyber Monday. However, too often, more attention is paid to meeting deadlines and improving user experience than to application security.Â
A recentOpens a new window report analyzing 51 top Android retail apps found that all of them lack some fundamental protections. Code-hardening and runtime application self-protection techniques, such as string encryption and root detection, were completely absent on nearly one-quarter of the apps tested. A further 63% employed only one or two app protection measures.
Retail apps that do not adhere to security best practices are prime targets. A recent surveyOpens a new window by Experian found that nearly a quarter of respondents had been victims of identity theft or fraud during previous holiday seasons. The majority of them expect risk to be even greater this year due to pandemic-driven digital shopping.
There are several ways malicious actors use retail app securityOpens a new window flaws to steal data or redirect payments. One example is creating fake apps that look just like real ones. To accomplish this, cybercriminals download legitimate apps from app stores, decompile them, and reverse-engineer the source code.
They use this code to create copycat versions, which look almost identical to the original, but include malicious code that can bypass security and validation controls, steal information via keyloggers or other malware, or even install ransomware.
The fake apps are repackaged and posted where unwary consumers download them. Once installed, all information inputted goes straight to the cybercriminals. A recent report uncovered Opens a new window nearly 1,000 malicious apps related to holiday shopping and a further 6,000 apps piggybacking on trusted retailer brands to lure victims.
Poor retail app security makes it easier for criminals to scam customers, especially groups of people who may venture into online shopping for the first time because of the pandemic. For organizations, this results in lost sales, severely damaged consumer confidence, and even potential litigation or regulatory fines.
Learn More: How to Secure Your E-commerce Business Against Cyberattacks
Tips to Make Mobile Apps and Customers Safer
As mobile online shopping has become a primary interface with many customers, keeping apps secure translates to more reliable revenue for retailers. App developers and retailers can employ code hardening and runtime application self-defense strategies that will make their applications more resistant to attack.Â
One example is obfuscation which transforms code to make it more difficult to understand and analyze while also remaining fully functional. It will not completely stop every determined attacker, but advanced code obfuscation can make things so costly and time-consuming that it is not worthwhile for hackers.Â
Rooting and jailbreaking, which circumvents OS and device-level security controls placed by Google or Apple, may be done for perfectly innocent reasons. However, if a shopping app runs in such an environment, any rogue app could access an application, its data, and credentials and cryptographic keys. Apps will ideally have the ability to detect a jailbroken or rooted device and take defensive actions.
Cybercriminals might also tamper with an app to modify workflows. For instance, they may ask a user for sensitive information, install rootkits and backdoors, disable security monitoring, insert info-stealing malware, or otherwise hijack an app for something it was never intended to do. Anti-tampering mechanisms detect unauthorized modifications to code by using techniques such as integrity checking and generally trigger a defense response such as blocking account access or shutting the app down.
If hackers cannot break the cryptography protecting the private information of retail customers, they will often focus their attention on stealing the key to decrypt it. Mobile devices offer key stores to securely store and use cryptographic keys—as with Android Keystore and Apple Secure Enclave—but a lack of standardization across devices means protection levels can vary and the mobile OS and keystores themselves can have security flaws.
Back in July, for example, hackers foundOpens a new window a permanent vulnerability in the Apple Secure Enclave processor.
White-box cryptography is software-based cryptographic key protection that assumes this kind of attack and exposure. It uses obfuscation and cryptographic transformations to keep keys protected and hidden even while in use.
Make Security a PriorityÂ
Basic secure retail app design goes a long way toward protecting sensitive data. Retailers should provide apps that do not store critical information on the device unless necessary. Moreover, they should make sure all data the app receives is subject to input validation, use strong encryption methods, and ensure app security measures are implemented correctly.
In cases where passwords must be stored on a device, it is critical to make sure they are protected by strong encryption and that cryptographic keys themselves are secured.
This holiday season, as the COVID-19 crisis keeps shoppers out of stores, many customers see mobile retail apps as the safest way for them to continue shopping. Steps that ensure the security of retail apps is an important promise of safety.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!