The importance of mobile apps to retail is growing fast. U.S. consumers spent more than $52 billion on mobile commerce from Nov. 1 to Dec. 9, 2020, which is up 55% over the same period in 2019. In the retail industry, it’s projected mobile fraud costs the $3.5B industry $100M per year.
Fraudsters have taken notice. Ecommerce is the No. 1 category affected by mobile app fraud, costing the retail industry at least $100 million in 2020. And it’s no wonder. Mobile apps are extremely easy for hackers and fraudsters to compromise because the vast majority lack even the most basic security protections. The Verizon Mobile Security Index 2021, for instance, found that more than three-quarters (76%) of developers experienced pressure to sacrifice mobile security to hit delivery schedules and meet budgets.
Developers aren’t ignoring security entirely. The vast majority do contain security protections, but they are typically limited in their effectiveness and can be easily bypassed using freely available tools.
For example, malicious use of a popular and powerful development tool called Magisk could enable fraudsters to gain enhanced privileges to modify apps on an Android device, a process called rooting. Apps do have rooting detection, which will shut an app down if an attempt is detected, but Magisk can bypass root detection protections like Google SafetyNet and others.
Once an app is rooted, it becomes very simple to modify it, especially if a bad actor also misuses other tools like Frida, a free instrumentation toolkit intended for developers, pen-testers and security researchers. With the malicious use of Frida, fraudsters can replace code and inject new code into the app, and then repackage it.
The implications are profound. By abusing these tools, for example, fraudsters can reverse engineer the ordering and payment process. If secrets such as keys to allow access to back-end servers and user login credentials aren’t properly encrypted within the app — and all too often, they are not — fraudsters can launch attacks at the core IT infrastructure of the retailer.
In addition to attacks that originate from the device, retailers need to preempt network-based fraud such as click bots, which are also known as sneaker bots, scalper bots and Instacart bots. Fraudsters use the automated clickers to order massive amounts of coveted products such as limited edition sneakers which they can then sell at a markup elsewhere.
Another threat to retail apps comes from so-called Trojans. These fake apps look and feel much like a retailer’s genuine app, but contain malware to steal valuable consumer data such as credit card numbers. Trojans can also compromise other apps on the user’s device for additional malicious purposes.
Why Security is so Weak on Mobile Apps
There are ways to defend against rooting, protect code from being manipulated by developer tools and encrypt secrets so they are safe from prying eyes. But each of these measures is difficult to implement manually, requiring highly skilled mobile app security expertise, which is expensive and in short supply.
Adding jailbreak (iOS) and root detection (Android) to a mobile app will prevent it from running on a device that is compromised. The best detection works both at launch and at runtime. Additional protection against malware root hiding tools would be advisable. Code obfuscation prevents fraudsters from reverse-engineering an app and understanding how the code works. Obfuscation is particularly tricky, because it must be done carefully — obfuscate the wrong piece of code and the app will no longer work.
Similarly, encryption must be implemented in a way that’s both secure and fast. Decrypting secrets is a resource-intensive operation. Done poorly, it will markedly slow performance and degrade the user experience. Finally, app hardening will prevent hackers from tampering with and debugging of the mobile app.
Given that implementing security manually is complex and expensive, many development teams make compromises in order to meet their budget and schedule, both of which are typically strict, as the mobile arena is extremely competitive. To cope, many organizations turn to software development kits (SDKs), which are easier to incorporate than manually coding security measures, but they still require skill to add to the app. Additionally, SDKs can themselves be compromised or provide less than solid protection, especially around obfuscation.
Some organizations are turning to no-code solutions that build security directly to the app binary. It’s fast and cost-effective, and makes integrating mobile app security into the DevSecOps process easy.
As retail app development teams address fraud, there’s little doubt that they must take measures to ensure their products are secure. While consumers may not yet select a retail mobile app based on the level of security it provides, a serious security breach will damage the brand and ensure that existing customers abandon it and potential new customers never give it a try. After all, with so much opportunity and growth in retail mobile apps, fraudsters will only become more sophisticated over time.
Tom Tovar is CEO and Co-creator of Appdome, a no-code mobile security solutions platform. Prior to Appdome, Tovar served as Executive Chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and services provider that was acquired by Akamai; and Chief Compliance Officer and VP of Corporate Development and Legal Affairs at Netscreen Technologies. He began his career as a corporate and securities attorney with Cooley Godward LLP. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.