Mobile commerce has become a critical component of any large retailer's business. After all, U.S. consumers spent $52 billion on mobile commerce during the last two months of 2020 alone. That’s a 55 percent increase over the same period in 2019.
With that much money flowing through mobile apps, fraudsters have taken aim at them, making e-commerce the No. 1 category affected by mobile app fraud. That’s bad news for retail, because hackers and fraudsters are finding mobile apps to be easy prey. More than three-quarters (76 percent) of developers felt pressure to deliver apps on time and within budget by giving security short shrift, according to The Verizon Mobile Security Index 2021.
Most mobile apps do contain some security protections, but unfortunately they can quickly be bypassed by abusing widely used developer tools.
The abuse of a tool called Magisk allows fraudsters to root Android phones, a process that confers much higher privileges. And while many apps contain some form of rooting protection, which shut the app down as soon as it detects it’s operating on a rooted phone, Magisk is often able to evade many of the most popular protections, including Google SafetyNet.
With these expanded permissions, modifying the app becomes easy, especially through the abuse of another popular development tool called Frida. This free, open-source dynamic instrumentation toolkit can be used maliciously to replace and inject new code, after which the app can be repackaged.
In this way, bad actors can set the stage for all kinds of schemes. They can create automated click-bots to order massive amounts of popular products, such as limited-edition sneakers, hot Christmas toys or new gaming consoles. They can reverse engineer the ordering and payment process to manipulate it in their favor and give themselves discounts. If passwords and cryptographic keys aren’t properly protected — and they often aren’t — they can gain access to back-end servers and compromise a retailer’s core systems.
Developers aren’t creating insecure apps because they’re lazy. It’s difficult to incorporate defenses such as anti-rooting and anti-jailbreaking (the iOS version of rooting), code obfuscation to stop reverse engineering and encryption. Obfuscate the wrong code or encrypt the wrong data, and an app will break. Plus, the skills to implement these security measures are in short supply, and implementation takes a lot of time. The mobile app market is extremely competitive, and those apps that can’t keep up with others’ functionality and feature sets will see their adoption rates plummet.
There are alternatives to manual implementation of mobile app security. Software development kits (SDKs) provide ready-to-implement code for key security features. They’re easier and faster to incorporate than manually developing security capabilities in-house. Nevertheless, they still require a certain level of mobile platform-specific security skills to weave into an app’s code. For example, a vendor may provide more than one SDK, each covering a specific framework. Each SDK is likely to have several variants for different operating systems, programming languages, and development frameworks such as Xamarin, Cordova, React Native or others. For a mobile developer, integrating a single SDK into source code can be a lot of work. Imagine having to integrate multiple SDKs across versions, frameworks, operating systems and the like. Moreover, the SDKs themselves may be compromised or provide insufficient protection.
Other organizations are turning to automated no-code solutions. These platforms use artificial intelligence (AI) to generate code based on the features the user selects and then builds security directly into the app in minutes — without any coding. This is a fast and cost-effective way to get a guaranteed outcome for a mobile app security project.
Some organizations are turning to no-code solutions that secure directly to the app binary. It’s fast and cost effective, but like all security solutions, the development team needs to do its due diligence to ensure that the security implementation is sound.
What’s clear is that retail app development teams must address fraud and take measures to ensure their apps are secure. Customers may not initially select a mobile app based on the level of security it provides, but if the app is compromised and used to commit fraud, the brand will be severely damaged, current customers will stop using it, and prospects will never give it a chance in the first place. Mobile app fraud is a serious and rapidly growing problem that retailers can no longer ignore.
Tom Tovar is CEO and co-creator of Appdome, the mobile industry’s first no-code mobile security solutions platform.
Related story: COVID-19 Makes Mobile App Security More Important Than Ever
Tom Tovar is CEO and co-creator of Appdome, the mobile industry’s first no-code mobile security solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and services provider that was acquired by Akamai; and chief compliance officer and VP of corporate development and legal affairs at Netscreen Technologies. He began his career as a corporate and securities attorney with Cooley Godward LLP.
Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.