The annual holiday shopping season is upon us, but it looks very different from years past. With the COVID-19 crisis changing the way people live and work, companies have had to rapidly shift their modes of doing business. For retailers, the need for contactless, safe shopping means that massive numbers of customers have turned to purchasing online.
Companies already in this space have benefited immensely. Amazon and other ecommerce sites, as well as traditional stores with a strong online presence such as Target, have seen gains in both revenue and stock price—ecommerce sales increased 30% in the first half of 2020. This is expected to surge even further during the holiday months, reaching a record $189 billion. This shift, however, has exposed multiple gaps when it comes to retail app security.
Retail app security flaws
As 42% of this holiday shopping is expected to be done on mobile devices, most retailers must be mobile-ready to survive. This has brought a ramping up in app development and distribution as retailers rushed to get their new or updated shopping app to market before Black Friday and Cyber Monday. However, too often, this has meant that retail app security is overlooked in favor of meeting deadlines and improving user experience.
A recent report analyzing 51 top Android retail apps found that all of them lacked some fundamental protections necessary for effective retail app security. Code-hardening and runtime application self-protection techniques (more on these below) were completely absent on 23% of the apps tested; a further 63% employed only one or two app protection measures.
How cybercriminals target shopping apps
Retail apps that don’t adhere to security best practices are prime targets for cybercriminals during the holiday season. A recent survey by the credit-reporting company Experian found that nearly a quarter of respondents had been a victim of identity theft or fraud during previous holiday seasons. The majority of them (57%) expect fraud risk to be even greater this year with the increases in digital shopping due to the pandemic.
There are several ways malicious actors can use retail app security flaws to steal data or redirect payments. One example is creating fake apps that look just like real ones.
- Cybercriminals will download legitimate apps from the Google Play or Apple App Store, decompile them, and reverse-engineer the source code.
- They use this code to create copycat versions, which looks almost identical to the original, but with malicious code inserted that can bypass security and validation controls, contains keyloggers or other info-stealing malware, or even ransomware.
- The fake apps are repackaged and posted where any unwary consumer can download them. Once installed, all information inputted goes straight to the cybercriminals.
A 2019 report by RiskIQ uncovered nearly 1,000 malicious apps related to holiday shopping and a further 6,000 apps piggybacking on trusted retailers’ brands to lure in victims.
Poor retail app security makes it easier for criminals to scam customers, especially those who may be venturing into online shopping for the first time because of the pandemic. For organizations, this results in lost sales, severely damaged consumer confidence, and even potential litigation or regulatory fines.
Tips for boosting retail app security
As online shopping has become a primary interface with many customers, keeping apps secure translates to revenue security for retailers. App developers and retailers can employ several strategies for code hardening and runtime application self defense that will make their applications more resistant to attack.
Obfuscation is the process of transforming code to make it more difficult for hackers to understand and analyze, but in such a way that it remains fully functional. While it won’t completely stop very determined attackers, advanced code obfuscation makes things so costly and time-consuming that it’s not worthwhile for them to continue.
Rooting and jailbreaking refer to essentially cracking a mobile device to circumvent OS and device-level security controls placed by Google and Apple. Mobile owners may root or jailbreak their device for perfectly innocent reasons, but if your shopping app is running in such an environment, any rogue app could access your application, its data, and credentials and cryptographic keys. Apps should have the ability to detect a jailbroken or rooted device and take defensive actions accordingly.
Cybercriminals might tamper with your app to modify workflows–for example asking a user for sensitive information, install rootkits and backdoors, disable security monitoring, insert info-stealing malware, or otherwise hijack your app for something it was never intended to do. Anti-tampering detects unauthorized modifications to code by using techniques such as integrity checking and generally triggers a defense response such as blocking account access or shutting the app down.
If hackers can’t break the cryptography protecting retail customers’ private information, they focus their attention on stealing the key to decrypt it. Mobile devices offer keystores to securely store and use cryptographic keys (Android Keystore, Apple Secure Enclave) but a lack of standardization across devices means protection levels can vary and the mobile OS and keystores themselves can have security flaws– for example, in July hackers found a permanent vulnerability in the Apple Secure Enclave processor.
White-box cryptography is software-based cryptographic key protection that assumes an attack and exposure. It uses complex obfuscation and cryptographic transformations to keep keys protected and hidden at all times, even while in use.
Make security a priority
Basic secure app design goes a long way. Don’t store critical information on the device unless necessary; make sure all data the app receives is subject to input validation; use strong encryption methods and make sure they are implemented correctly. If you must store passwords, make sure they are protected by strong encryption and secure the cryptographic keys.
How Intertrust helps protect retail apps
This holiday season, as the COVID crisis keeps shoppers out of stores, many customers see your mobile retail app as the safest way for them to continue shopping with you. Unfortunately, as retailers struggle to release their apps to meet demand, security may take a back seat. Intertrust’s application protection solutions let you incorporate the above best practices, plus many more, without adding to your development work or delaying time to market.
To find out more about keeping your retail apps and customers secure, get in touch with one of our experts today.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.