The inherent security issues with many retail e-commerce mobile apps have become an increasing concern as consumers are stuck at home all over the world. Retailers are seeing an increase in digital channel revenue both from e-commerce and mobile applications as consumers continue to increase shopping on their phones ahead of the holidays. Unfortunately, many retailers are falling behind in terms of providing the proper security protocols to keep payment information safe. To learn more about how the retail industry is overwhelmingly failing at securing their mobile applications and understand what the most common security pitfalls are within the retail industry, I talked recently with Grant Goodes, chief security scientist at Guardsquare, a firm that specializes in mobile application protection. Grant has specialized in the field of SW Security for the last 13 years, working on all aspects of protecting applications from reverse engineering and tampering, including Whitebox Cryptography, code obfuscation, and data transformation, as well as RASP (runtime application self-protection) techniques. He is also the author of over 10 patents related to this work and has a background in aerospace, compilers, and Java virtual machines.
MITCH: Why has mobile device security suddenly become front-and-center for many businesses?
GRANT: In the not so recent past, most retailers’ idea of an online experience was via a website accessed from a desktop computer. Partly this was just that the mobile rendering of things like catalogs was much better on the large screen of a desktop, and partly this was a distinct lack of consumer trust in making purchases on a mobile device. However, over the last few years, especially among younger consumers, mobile has become the default platform for online activities (not to mention that mobile devices often have quite large screens now!). This trend was vastly accelerated by the pandemic and attendant lockdowns, which has really seen purchases via mobile e-commerce apps take off.
MITCH: What kinds of security concerns are there regarding apps used for making purchases with phones? What are some of the basic ways mobile applications are failing with regard to security?
GRANT: I like to refer to mobile platforms as “hostile targets” since there are so many tools and techniques for reverse engineering and tampering, making them intrinsically more amenable to exploitation by bad actors. Originally intended for simply making phone calls and sending text messages, and then extended to be “smartphones” with the ability to run applications (at first mostly games!) and browse the web, mobile devices can now be used to do basically anything you would formerly have done on a desktop computer, including performing banking transactions or making retail purchases. And frankly, the focus for most mobile apps is on convenience and user experience, not security, so it is not a surprise that there have been problems, including inadequate (or absent!) use of secure communication protocols and cryptography and failure to secure “data at rest” on the device itself. These sorts of fundamental security lapses result in relatively simple attacks on the client/server communication such as MITM (man-in-the-middle), or the ability to exfiltrate valuable information stored on the mobile device (such as credit card details)
MITCH: Why haven’t app developers invested greater efforts into ensuring their apps are secure for doing e-commerce?
GRANT: Time-to-market and user experience are seen as the two single most important drivers of e-commerce apps. Time-to-market because there’s often a bit of a winner-take-all effect in retail (the retailer that first provides the ability to purchase desired goods will quickly dominate the market), and user experience because that tends to lock-in customer loyalty. If there’s a third priority, it’s cost, not security, because cost is upfront, and poor security only ends up affecting the bottom-line after an exploit happens and is published in the media, so it’s not always top-of-mind. Additionally, there’s a tendency to rely on the platform security (for example, Apple’s very good record with iOS security), but that cannot be relied on as the only barrier to bad actors exploiting your app since the reverse-engineering and tampering tools available are increasingly sophisticated and easy to use.
MITCH: What impact is the failure to prioritize security for mobile apps having on consumers and on the retail industry?
GRANT: Of course, the most obvious impact of the failure to secure an e-commerce app is financial: Direct to the retailer (for example, fraudulent purchases, unjustified discounts, etc.) or indirect (theft of customer credit-card credentials). But perhaps the more important impact is on consumer trust: If a specific online retailer’s app is subject to an attack (for example, harvesting of credit-card credentials), consumers will hear about it quite quickly and move their business elsewhere. The security reputation of these mobile e-commerce apps is especially critical since media exposure of any security failures is essentially instantaneous and makes use of the same social media platforms that many consumers use to drive their purchasing decisions.
MITCH: What’s the best way forward out of this situation?
GRANT: The first and most important approach for ensuring mobile app security is security by design. Security is not a “sauce” that can be poured on the app at the end of development: It is vitally important to consider the hostile environment in which these mobile apps run and relying entirely on platform security (for example, assuming that iOS devices are never hacked) is a mistake, so ensuring that the application utilizes appropriate cryptographic protocols and data-security practices take special care at design-time. Secondly, at a minimum, software obfuscation (such as Proguard, which is free and part of Android Studio) and other application hardening techniques should be applied to limit the ability of reverse engineers to find vulnerabilities (which are present even in the best-designed applications). And finally, security should be treated as a first-class citizen when deploying an app to the marketplace, so just as quality is ensured by rigorous quality testing, Security must be ensured by Security Assurance (SA), including penetration testing, and good fraud- and threat-detection systems should be in place.
MITCH: Anything else you’d like to add on this subject?
GRANT: I would just like to emphasize the concept of a secure software development life cycle (SSDLC), which simply adds the word “secure” to the traditional software development life cycle. Security must be considered at every stage of the SDLC, from design to development to testing and finally to deployment. This holistic view of security is more likely to result in applications that are inherently secure and much harder to reverse engineer and tamper, meaning that bad actors are much less able to find exploits, substantially reducing the likelihood of reputation-damaging exploits and fraud.
MITCH: Grant, thanks for taking the time to talk with us here on TechGenix.
GRANT: You’re welcome.
Featured image: Shutterstock