Retail Risks Rise as Customers Go “Mobile First”

Around the world, there is a rapidly growing “mobile-first” preference among retail customers. New research shows that globally, mobile e-commerce app downloads increased by 5.6% in 2024. When looking specifically at Latin America, Southeast Asia, and Japan, those increases jump to over 20%.

A different global study reveals that mobile wallets now power 35% of all online transactions and 21% of in-store transactions, representing a 30% increase since 2022. While this trend is now being seen across all age groups, it first gained traction with younger consumers – as 72% of Gen Z and Millennials recently reported they’d rather pay for everything through an app.

In response to their shifting customer preferences, retail organizations have been adding new functionalities and features to their branded mobile applications. This includes things like in-app payment capabilities, loyalty rewards programs, referral bonuses, premium member services, personalized advertising, behavioral data capture, geolocation-based customizations, and social media integration.

The latest retail wallet apps have evolved to function more like bank apps, which means they know more about customers. Common features include things like “buy now, play later” (BNPL), which extends a line of short-term credit to customers. Also worth noting in this context, retail-friendly fintech app Klarna is pivoting from positioning itself as a global payments network and shopping assistant to now be known as a “neobank”.

But as retail organizations hurry to adopt new offerings to keep up with consumer preferences (and disrupt old business dependencies), there have been some growing pains. This is largely because retail orgs don’t have the same experience as financial services companies and banks in terms of managing heavier cybersecurity burdens and dealing with the complexities of financial industry requirements.

Taking on new risks while attracting more threats

With new financial functionalities also comes new responsibilities in terms of compliance with industry regulations as well as things like regional data privacy laws. Compliance risks include punitive fines, negative publicity, and potential legal costs. There are also a variety of sophisticated threats that specifically seek to extract customer data, as well as many types of fraud.

Rapid proliferation of new mobile retail apps, increasing frequency of transactions, and rising volumes of stored customer data have all attracted the attention of bad actors. Common threats that target retail apps include social engineering attacks like phishing, which covers many mobile-specific varieties like mishing (mobile + phishing), SMS message-based smishing, video call vishing, and quishing which makes use of malicious QR codes.

Fraud

The U.S. government’s Federal Trade Commission (FTC) reported a 25% increase in fraud last year with losses totaling $12.5 billion. Improperly secured mobile apps can expose retailers and their customers to fraud in many different flavors and styles, including:

Identity/signup fraud. Retail and e-commerce were the hardest hit by bot-driven signup fraud, accounting for 69% of attempts last year. The ultimate motivation may be for fraudsters to claim signup incentives and member-only exclusives, but these fake accounts could also potentially enable cybercriminals to discover existing user accounts, bypass security controls, and even execute denial of service (DoS) attacks by consuming resources.

Account takeover fraud. Threat actors use stolen credentials to make unauthorized transactions. Wallet apps are vulnerable to threats like man-in-the-middle (MitM) attacks, secure storage breaches, app attestation data manipulation, and communication key extraction.

Credential theft that leads to account take-overs negatively impacts customer relationships with retailers and these incidents typically result in chargebacks.

Fake wallet fraud. Threat actors may reverse engineer, modify, and repackage a mobile wallet that looks exactly like the original. They then use phishing or social engineering to trick unsuspecting consumers into downloading the cloned wallet app in order to steal account credentials or spread malware.

Loyalty and rewards program fraud. This is a big one. Loyalty fraud now accounts for 31% of all fraud attempts against online merchants. In specific regions, the problem can be even more pronounced.

Loyalty programs are an important competitive tool for retailers – 84% of consumers claim they’re more likely to stick with a brand that offers one. Wide acceptance by companies around the globe has created opportunities for both everyday users and professional attackers to misuse and extract unintended value from these programs. For example, customers can download modified mobile retail app clones to unlock premium loyalty program features or directly exploit app vulnerabilities to tamper with their reward points. It’s also common for customers to abuse coupon codes (e.g., signing up for new user discounts under multiple identities) and referral bonus programs (e.g., referring fake users for cash or points-based rewards).

Credential theft can also lead to stolen loyalty points and rewards, which can be very costly to retail orgs in terms of reputational damage and financial losses. With an estimated $48 trillion in unspent reward points globally, cybercriminals have established a robust market for selling points stolen from compromised user accounts.

Data Loss

Some mobile apps gather detailed customer information to support “know your customer” (KYC) features and other customized shopping experiences. That valuable data can also be used for things like marketing research or analytics to inform R&D. But mobile apps that leak private customer information can cause problems for both app publishers and their retail business customers. In widespread instances where information from many users is exposed, it can lead to bad press, brand damage, regulatory penalties, and legal repercussions.

Compliance

Retail wallets are subject to the same regulatory requirements (e.g., PCI‑DSS, PSD2) as other digital or mobile wallet apps – but without the same institutional experience as organizations in the financial services industry.

Many countries and regions also have specific data privacy regulations (e.g., GDPR, CCPA). Governing bodies can levy hefty fines should an organization be found in non-compliance or (even worse) if they actually expose the private data of customers residing within their jurisdiction. There may also be public disclosure requirements (leading to negative press and reputational damage) as well as potential downstream legal costs.

Comprehensive security for the mobile app SDLC

Consumers expect the same protections when using a mobile wallet app as they do with any other kind of purchase. Retail organizations must ensure that access to customer accounts and any private information gathered by a mobile app will be fully protected – and built-in OS/device level security isn’t enough. While nearly 40% of mobile app publishers rely solely on OS-level protections or DIY security solutions, the average organization experienced nine mobile app security incidents last year (at an average cost of $7 million per incident).

Retail app developers need security that is purpose-built for mobile applications – complementary solutions that provide layers of protection across the entire lifespan of a mobile retail application.

In development, this should include integrated mobile application security testing (MAST) tools that don’t slow down CI/CD pipelines. Automated static and dynamic code analysis can help development teams continuously find and fix security issues as they go.

Post-release, mobile retail apps first need multi-layered code hardening that uses different forms of obfuscation and encryption to protect against reverse engineering and mobile app tampering. In addition, a runtime application self protection (RASP) solution helps retail apps repel attacks in the wild. An effective application attestation solution ensures the integrity of APIs, which protects application backends on the server side. Finally, threat monitoring provides real-time visibility of potential attacks or suspicious users, while providing actionable developer insights for version updates and future app releases.

Guardsquare secures retail mobile apps

Guardsquare provides comprehensive, no-compromises security for retail mobile applications across the entire SDLC. Guardsquare products help mobile developers and retail orgs eliminate risks, protect against evolving threats, and maintain compliance with complex regulatory obligations. Our solutions include:

DexGuard (Android) and iXGuard (iOS). Code hardening (multiple layers of encryption and obfuscation) plus RASP prevent:

• Reverse engineering (IP theft)
• Tampering/modifying and repackaging (clones)
• Credential harvesting
• Dynamic runtime attacks

AppSweep. Purpose-built, mobile-specific MAST tools that help developers “shift left”

• Continuous code testing at speed. Automated static and interactive testing that seamlessly integrates with CI/CD pipelines.
• Shift left. Helps developers quickly find and fix critical security issues. Fixing code issues early in the SDLC saves developers both time and money in the long run.

ThreatCast. Threat monitoring that provides real-time insights into real-world attack vectors. Helps app publishers detect suspicious users and devices across mobile app deployments. Continuously improve your security implementation by identifying where security gaps exist and what steps to take to close them.

• Spot fraud as it's happening. See live evidence and link it to specific user IDs and even email info. This information can also be cross-checked with anti-fraud and KYC tools to block users from the backend.
• Apply data-driven insights. Includes 3-6 months raw data and 6-12 months aggregated data.

App Attestation. Verifies the authenticity of your app in real-time so you can trust that your mobile retail app’s behavior is still in your control, even when installed on customer devices.

• Fraud prevention that’s purpose-built for mobile apps. Server-side validation helps prevent API abuse by guaranteeing it's your app interacting with your APIs. This also includes bot protections to help prevent fake accounts and promo abuse.
• Embrace zero trust principles for retail transitions. Continuously verify your root of authenticity with the agility to react to bad actors without building a new version of your app.

Find out how Guardsquare can help you reduce common retail app risks with comprehensive, mobile-native security. Connect with a Guardsquare expert today.