September 15, 2020

    Struggling Retailers in Bankruptcy Lack Basic Mobile App Security Protections [REPORT]

    One of the heaviest-hit industries by the coronavirus pandemic is retail. Stay-at-home orders and gradual reopening plans have caused many retailers to file for bankruptcy. These struggling organizations now rely mostly on eCommerce and mobile commerce revenues to stay in business. Unfortunately, new research from Guardsquare shows that all of the mobile apps from retailers that filed for bankruptcy lack basic security protections.

    The failure to protect these applications leaves them more vulnerable to malicious actors. Mobile app security attacks could potentially result in a loss of competitive advantages or sensitive customer data. In this post, we’ll walk through the categories of mobile app threats Guardsquare analyzed for its report, as well as key outcomes and recommendations. 

    About the Retail App Analysis Report

    Guardsquare analyzed more than 50 of the top Android retail mobile apps for the 2020 Retail App Analysis Report. Of the apps analyzed, 14% were from companies that filed for bankruptcy. Internal security evaluators looked at two techniques used to execute mobile threats. These commonly originate from tools used by malicious actors:

    • Static analysis:  In these types of attacks, malicious users or unscrupulous competitors attempt to decompile or disassemble applications offline, on a local machine. During a static attack, a bad actor may look at the organization’s source code, and attempt to reverse engineer it to understand how the app functions. From there, they may look for further security vulnerabilities within the application or sensitive information to extract.
    • Dynamic analysis and runtime attacks: These are attempts at understanding the way in which an application works or at modifying its intended behavior at runtime. Usually, the attacker will run an app on a test device, where they may try to modify the way in which the application functions, or gain insight into its inner workings.

    Within these two categories, Guardsquare evaluators checked for seven different types of code hardening and runtime application self protection (RASP) protections. Code hardening defends against static analysis, while RASP defends against dynamic analysis and runtime attacks. 

    Results: Mobile App Security Outcomes Worse for Retailers in Bankruptcy

    Unfortunately, the mobile app security outlook for retailers in bankruptcy was worse than the sample size overall. 

    • 43% of apps in the bankruptcy category had none of the RASP or code hardening security protections in place, compared to 22% overall. 
    • 43% had just one or two of the protections in place. 14% had three or four of the protections. 
    • None of the retail apps analyzed had five or more security protections – which would be considered adequate to defend against malicious actors.

    These results should be startling for consumers and retailers alike. Shoppers in 2020 haven’t had the option to purchase in-store, so two-thirds of them have ramped up online and mobile shopping even more. Without adequate protection, retail mobile apps could be tampered with or even copied and turned into “fake apps.” Fake retail apps are especially risky because they can capture sensitive personally identifiable information (PII) from shoppers, such as names, credit card numbers, addresses, and more. 

    The more likely and costly scenario for retailers are competitive threats. Retailers in bankruptcy can’t afford to lose market share to competitors via mobile apps and other online channels. A lack of code hardening techniques could expose a variety of developer-sensitive data to competitors or other bad actors. This information could possibly be used to execute business or technical denial of service attacks, making the mobile app difficult for customers to use. Beyond denial of service, the competitor could also scrape product catalog and/or pricing data from the app to create an unauthorized third-party aggregator store, weakening the brand and leading to a loss in revenue. These are just two of the many potential attack scenarios.

    Best Practices & How to Move Forward

    All mobile apps—whether for shopping, mobile banking, gaming, or otherwise—need to be developed securely by design. Retail apps, in particular, handle sensitive customer data, and are high-value targets for competitive threats. As a result, mobile app developers should follow a secure software development lifecycle process when building and updating their applications. 

    In general, mobile apps require a layered approach to security. Developers should use code hardening to protect code at rest and RASP to protect apps in use. They should also employ real-time mobile threat intelligence tools to understand when malicious actors go after apps and stop them as quickly as possible through blocking or vulnerability management strategies. Many industry standard best practices are well-known and relatively easy to implement.

     

    Guardsquare

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in