The E-commerce App Security Crisis: How Retailers Can Do Better

It’s Not too Late for the Holiday Shopping Season

Shopping from phones and tablets has been on the rise for a long time, and that growth is not expected to slow down anytime soon. By 2024, around 187.5 million people in the U.S. will have made at least one purchase via mobile web browser or mobile app. That is up from 167.77 million mobile U.S. buyers predicted for this year, 2020. Already today, mobile buyers account for 60.9% of the U.S. population. 

The global pandemic has only accelerated the trend of mobile e-commerce (sometimes called m-commerce), whether buyers are using their phones to schedule pick-up curbside or have items delivered to avoid the risks of in-person shopping. 

However, there’s one big challenge many retailers have not fully recognized amidst this growth. Most developers of mobile apps for retail — whether brick and mortar or entirely online — are not building secure enough apps. In fact, recent analyses have found that these apps are some of the most insecure out there. 

Here’s what you need to know about this challenge and how to improve your m-commerce app’s security. 

The retail app security crisis

Similar to the reviews Guardsquare conducted for finserv and contact tracing apps,  a recent review of 250 widely used Android apps found a full 70% leak sensitive personal data. This data includes: 

• Names
• Usernames
• Email
• Phone numbers
• Geolocation
• Account numbers
• Device identifiers like serial numbers 

It turns out that, in this analysis at least, retail apps have the worst track record of any industry. The study found that 82% of brick and mortar retail apps are "actively" leaking sensitive data and 92% of online retail apps are doing the same. Only 8% of online retail apps were secure enough to not risk personal info exposure according to the research. Even the FBI has warned about e-commerce fraud recently. In addition, the NSA just released an advisory against exposing geolocation data.

The global pandemic has also seen a rise in non-traditional retail apps — often intended to minimize social contact. Additionally, loyalty apps and pre-pay or pickup retail apps have become increasingly common in recent years. 

7-Eleven’s fuel app is a good example of this category, and it was recently exposed to have major security flaws. In the fall of 2019, the popular app, which allows users to prepay for gas and lock in prices, was abruptly removed from the market when a customer pointed out they could view other users’ personal details inside the application. It was fixed and re-launched, but provides a perfect example of the types of data leaks that many retail apps are still suffering from. 

How to develop more secure e-commerce apps

While the news about retail app security is not good, there is a lot that app developers can do — quickly and efficiently, we might add — to make their apps more secure. In fact, there are three main areas of focus that can make a major difference in the security of retail mobile apps. Let’s explore.

Code hardening

One of the most important things that all apps, including retail and e-commerce apps, can do to become more secure is to harden the code. There are two main techniques that accomplish this goal: obfuscation and encryption. These techniques render code both unintelligible and inaccessible to reverse-engineering attempts, whether they are using manual techniques or automatic analysis. 

Obfuscation means making code more difficult to understand. It is accomplished by stripping out potentially revealing metadata, renaming useful class and variable names to meaningless ones, and transforming human-readable executable code to an unintelligible form through a number of techniques.  

Encryption is the process of converting information or data into a ciphertext, especially to prevent unauthorized access. Encryption can be applied to many parts of a mobile app, from strings to classes to assets.

The strongest code hardening involves multiple layers of obfuscation and encryption; it’s a “better together” situation. 

Runtime application self-protection (RASP)

RASP protects applications against analysis at runtime. This is an important security precaution to avoid real-time attacks after an app has been deployed. 

In a nutshell, when a threat is detected, an application with RASP in place will actively react to defend itself. It may display a security notification or terminate a user session. RASP also ensures the communication between mobile application and server is secure.

RASP's primary goal is to react immediately. It is a self-contained protection mechanism that doesn't need any connection to the outside to function. It can stop many attacks from succeeding.

Real-time threat intelligence

After an app is released, security teams often lack visibility into the most common attack vectors and vulnerable parts of their code. Bad actors can take advantage of this and launch attacks. This is why monitoring threats in real-time can help teams. Information gleaned from real-time threat intelligence can help teams dynamically adapt their security configurations to better protect apps against suspicious activity and malicious users.

Black Friday and the holidays are sooner than you think

It’s concerning that retail apps are as insecure as they are. COVID-19 has increased the usage of both brick and mortar stores’ apps for pick-up and pure-play m-commerce. In other words, more shoppers than ever are at risk if your mobile retail app is not secure.

Plus, it’s worth remembering, even in August, that Black Friday and the holiday shopping season are not far away. This year is likely to set records for online and mobile shopping, given the ongoing pandemic situation. Many teams will be finalizing their retail app strategies for the season by September. Anyone who is not incorporating the security precautions described above into their approach is likely to be the target of attacks. 

The good news is there’s still time to shore up your defenses ahead of this key time period if you act fast. The combination of code hardening, RASP, and real-time threat intelligence can provide a robust and layered defense against any attack that may be launched against your m-commerce app.