Mobile retail apps lack basic security
The COVID-19 pandemic has quickened a trend that’s already been on the rise for years: mobile commerce. According to eMarketer, in the next two years commerce via mobile apps is expected to grow by 68% and will account for half of all e-commerce purchases.
However, research by Guardsquare has revealed that many of the top retail mobile apps don’t have even basic security protections in place. The company assessed 51 of the top Android mobile retail apps and notified each retail app’s owner of the analysis findings. It conducted both static and dynamic analysis, as well as assessing whether any runtime application self protection (RASP) checks were in place.
Speed over security
According to the company, there could be many reasons why mobile app developers aren’t taking security seriously enough. Sometimes the urgency of getting these apps to market quickly outweighs security concerns, but sacrificing security for speed can leave apps vulnerable to malicious actors, which can result in significant business implications and a loss of competitive advantages if left unaddressed.
The overall lack of protection shows retailers may not fully realise the business impact of cutting corners on security.Guardsquare
There are two techniques that are used to execute mobile threats. Firstly,static analysis, which sees malicious users or unscrupulous competitors attempting to decompile or disassemble applications offline, on a local machine. During this type of attack, a threat actor may look at the company’s code, and attempt to reverse engineer it to understand how the app functions. Once done, they might look for additional security vulnerabilities within the application or sensitive information to extract.
The other type of attack is called synamic analysis and runtime attacks. These are attempts at understanding the way in which an application works or at modifying its intended behaviour at runtime. Usually, the malefactor will run an app on a test device or emulator, where they may try to modify the way in which the application functions using hooking frameworks, or try to gain insight into its inner workings using a debugger.
Seven hardening techniques
The Guardsquare reports lists several code hardening measures that defend against static attacks:
- Name obfuscation: Hides human-readable identifiers in the application’s code to prevent bad actors from reverse engineering the application’s structure and logic.
- String encryption: Encrypts sensitive textual information included in the application, such as URLs, API or cryptographic keys, to prevent an attacker from extracting it. For retailers, a lack of string encryption could open up sensitive app developer data to competitors.
- Remove visible APIs: Exposed server APIs can allow competitors to execute attacks on the back-end of retail apps, such as mass-booking limited resources like hotel rooms, creating bots to extract pricing and adjust their own, running an unauthorised third-party aggregator store, etc.
In addition, Runtime Application Self-Protection (RASP) defends against dynamic analysis ans runtime attacks:
- Root or emulator detection: Attackers often try to 'root' a device to bypass the application sandbox and conduct unapproved actions. Root detection monitors the environment in which applications are running and prevents them from being executed on rooted devices. Emulator detection prevents applications from being executed on virtual devices.
- Data at rest encryption: Encrypts dynamic user data, such as names, dates of birth, addresses, etc.
- SSL pinning: Prevents man-in-the-middle (MiTM) attacks by validating server certificates. MiTM attacks can result in sensitive data loss.
- App attestation: Mobile platforms provide mechanisms (e.g. SafetyNet on Android) for cryptographically confirming that both the device itself and the running application are genuine, ensuring that servers are not interacting with compromised endpoints.
“While not an exhaustive list, these seven hardening techniques are important for the security of every mobile app,” says Guardsquare, which used them as indicators for the level of in-app security implemented within retail apps during the course of the research.
A multi-layered approach
For maximum effectiveness, mobile apps need to be protected by multiple layers of security, combining the listed techniques with code hardening like arithmetic obfuscation and control flow obfuscation, plus RASP techniques such as tamper detection and hook detection.
From the research, it became clear that the vast majority of retail apps are not sufficiently protected against reverse engineering and potential exploitation. “They are easy for bad actors to decompile, attack, and even create fake clones, and are likely to lead to security breaches if they have not already. The overall lack of protection shows retailers may not fully realise the business impact of cutting corners on security.”
The majority of the 51 apps tested relied on name obfuscation alone, which does not provide adequate protection on its own. Overall, 23% of the apps tested had none of the protections listed above, 63% of apps had just one or two of the protections, and not a single one of the apps had five or more protections.