With Christmas just around the corner and shops ringing in the high revenue-generating Christmas sales, it is not only retailers who are looking forward to the start of the shopping season. Cyber criminals, for whom the increasing proliferation of mobile shopping apps is opening up lucrative attack opportunities, are also likely to profit from this festive season.
Online business is booming like never before. The share of online purchases in the UK in Christmas 2016 (Christmas as the six-week period between mid-November and end of December) was 27 percent of total sales. Mobile commerce is the most important driving force behind the unstoppable triumph of e-commerce. User-friendly mobile shopping apps in particular are attracting more and more customers to make their purchases conveniently via a smartphone or tablet during the stressful pre-Christmas period. According to Retail Research, many UK ecommerce retailers found that up to 80 percent of shopper visits to their websites were done via mobile phones and tablets, and 42.3 percent of all online purchases were made using mobiles.
However, the new opportunities associated with the growing range of M-Commerce services also entail new risks: business transactions via mobile applications – be it payment transactions or the transmission of sensitive personal data – are particularly threatened by cyber manipulations and open up a wide range of possibilities for fraud and data theft. And fake apps have also become a problem for mobile online commerce. The often deceptively authentic-looking counterfeit products act as official apps for well-known brands, playing off unsuspecting consumers in a variety of ways.
Fake apps infiltrate official app stores
Recently, WhatsApp has demonstrated how quickly fake applications are spreading. Around one million Android users fell for a fake version of the messenger app when they downloaded an allegedly official update bearing the familiar WhatsApp logo from the Play Store. However, the aim of the fake app was to get users to click on an ad via which malware was activated. At the beginning of the Christmas season cyber criminals also focus on attacking shopping apps, just as Apple and its customers had to experience last year when hundreds of fake shopping applications infiltrated the App Store in November. Many of these iOS apps used the names of well-known and popular brands and retail chains such as Puma or Foot Locker, and at first glance were not recognisable as fake apps. The consequences for the unsuspecting iOS users were manifold: While the harmless variants pursued the goal of earning money through faded-in advertisements, some malicious fake apps were targeting passwords and sensitive credit card information.
Data theft thanks to unprotected binary codes
However, not only fake applications pose a risk, but also “official” apps can quickly become a threat to the end user, as many of them do not have the necessary security measures to prevent cyber manipulation. Mobile apps are in themselves particularly vulnerable and susceptible to compromise because, unlike server applications, they run in distributed, unregulated and potentially dangerous environments, making them “easy prey” for cybercriminals. As soon as an application leaves a protected and controllable network, there is a risk that hackers will attempt to attack it through existing vulnerabilities. In particular, shopping apps that receive personal data such as addresses or credit card information are at risk here.
The hackers focus especially on the binary code of the application, i. e. the code that a device reads when an app is executed. If the binary code is not actively protected, the app is vulnerable to infiltrating malware, code modification and other types of tampering. Hackers could reverse-engineer and analyse the binary code to extract sensitive data stored in the app, such as account information, or manipulate transactions in their favour. But the reverse engineering of the app and the resulting theft of intellectual property is also worthwhile for the hackers, as they can use this information to develop illegal copies or malicious fake applications, which in turn help them to carry out major attacks.
Regular updates and effective app hardening
For app users it is important to be careful with shopping apps. In order to avoid downloading fake apps, it is worth taking a closer look at official app stores, e. g. at download numbers, user ratings or prices. If the app of a known brand has been downloaded only a few times or if an application that actually requires a fee is suddenly free of charge, the user should generally be suspicious. In addition, consumers must ensure that both the operating system of the device and the app itself are always up to date in terms of security. Providers regularly identify security vulnerabilities and then usually provide their customers with timely updates with appropriate patches. Additionally, it is essential for app users to download the latest version of the app on a regular basis to minimize the risk of hacker attacks. Therefore, it is best to ensure shopping apps are set to automatically update.
Providers and app developers are also involved in the fight against cyberattacks. If they want to protect their customers and their own reputation, they need to focus on the security of their apps right from the start when developing their mobile shopping offerings. Although 84 per cent of all cyberattacks take place at the application level, many providers neglect the necessary security precautions when developing their mobile apps. Only if apps are equipped with multi-layered and dynamic protection mechanisms at the binary code level after the end of their development process can they withstand sophisticated attacks. Companies should look to invest in innovative app hardening technologies, runtime protection and WhiteBox cryptography to protect their customers from data theft, unauthorized transactions and financial loss.
For retailers, an M-Commerce offering is a not-to-be-missed component in the fight for customer loyalty and revenue generation. However, whoever wants to fully exploit this potential must not lose sight of security in favour of availability, convenience and customer-friendliness.
[su_box title=”About Mark Noctor” style=”noise” box_color=”#336588″][short_info id=’103945′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.