This post is from the Arxan blog and has not been updated since the original publish date.
Retail Mobile Apps – A Lucrative Frontier For Hackers
As consumers continue to adopt the "always connected" lifestyle, mobile is transforming the world in extraordinary ways. Mobile is now central to consumer experience, disrupting the Retail industry. Adoption of mobile apps in Retail industry - apps consumers use for online shopping and apps that businesses use to provide point of sale transaction and payment capability to their customers, continues to grow dramatically.
- Internet Retailer predicts worldwide mobile retail sales will reach $220 billion in 2016, a 53% increase versus 2015
- Org, Forrester and Bizrate have revealed, in The State of Retailing Online Report 2016, that mobile represents 44% of retailers’ online traffic, and 31% of sales
Holiday shopping season has arrived, and consumers as well as retailers are taking advantage of mobile shopping. As the adoption of mobile apps grows in retail industry, it represents a lucrative new frontier for hackers . ABC News recently reported fake apps masquerading as Ugg, Dillards, Dollar Tree, Zappos and New Balance (watch video).
New York Times reports even Apple’s iPhones have been targeted by fake retail apps, evading much touted scrutiny of Apple reviewers’, masquerading as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like Zappos.com and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.
How Do Hackers Get In?
While most companies have done a reasonable job on securing Web applications, mobile applications, in most cases, are being deployed unprotected, thus making it easy to infringe on IP, copy and distribute the applications illegally, and modify the applications for malicious purposes. Trend Micro Research (Fake Apps - Feigning Legitimacy) finds applications are vulnerable to reverse engineering, repackaging, republishing and susceptible to becoming malicious weapons.
Hackers typically target binary code to launch attacks on high-value applications. For those of you who may not be familiar, binary code is the code that machines read to execute an application — it’s what you download when you access apps from an app store. A few easy steps and widely available (and often free) tools make it easy for adversaries to directly access, compromise, and exploit application’s code.
- Analyze or reverse-engineer the binary, and identify or expose sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation
- Lift or expose proprietary intellectual property out of the application binary to develop fake / counterfeit applications
- Modify the binary to change its behavior. For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing it as a patch, crack or even as a new application
- Inject malicious code into the binary, and then either repackage the apps and publish it as a new (supposedly legitimate) app, distribute under the guise of a patch or a crack, or surreptitiously (re)install it on an unsuspecting user’s device
Tips To Protect Your Mobile Apps, and Prevent Monetary and Brand Damage
Fake and malicious apps only serve to harm a brand’s reputation and revenue loss, in a competitive market where apps are becoming increasingly vital component of retailers’ strategies as they use mobile to drive higher loyalty and spend from their customers. We recommend Retailers to take following measures to prevent hackers from copying and distributing the applications illegally, and modifying it for malicious purposes.
- Binary code protection is the weakest link in application security. Retail mobile apps must be hardened at the binary level to enable self-defense, tamper-resistant and self-healing measures inside the applications. These measures prevent:
- Reverse engineering/de-compilation of apps
- Rooting and Jailbreaking the mobile device
- Malware insertion
- Spoofing of apps to access sensitive data
- Tampering with security controls or sensitive functions
- Unauthorized access and fraud
- Unauthorized code modification and Repackaging of apps
- Intellectual property theft and piracy
- Android based Retail apps must secure HCE (Host Card Emulation) -based mobile payment solutions with Cryptographic Key & Data protection measures to -
- Secure cryptographic keys so keys cannot be discovered at any time, and are not present in static form or in runtime memory
- Protect data at rest, in transit and in use
- OWASP Mobile Top 10 2016 identifies the top 10 pervasive security risks associated with the usage of mobile devices in all industries, including retail. While all of those top risks need to be taken seriously, appropriate measures for mobile binary code must be taken to mitigate the following risks -
- M8 Code tampering: Risks associated with binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification
- M9 Reverse engineering: Risks associated with analysis of the final core binary to determine its source code, libraries, algorithms, and other assets
- Consider mobile app assessment, which assesses and measures if retail app is exposed to reverse engineering and tampering attacks
Brand reputation, financial transactions, personal data and corporate intellectual property are all at serious risk since they pose lucrative and profitable targets for attackers. It’s time for Retailers to secure their mobile apps, and don’t let hackers to take joy out of holiday shopping!
For securing your mobile payment apps this holiday, please visit this blog.