Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Nov 21, 2016 — Application Security expert

Retail Mobile Apps – A Lucrative Frontier For Hackers

Application Security

As consumers continue to adopt the "always connected" lifestyle, mobile is transforming the world in extraordinary ways. Mobile is now central to consumer experience, disrupting the Retail industry. Adoption of mobile apps in Retail industry - apps consumers use for online shopping and apps that businesses use to provide point of sale transaction and payment capability to their customers, continues to grow dramatically.

Holiday shopping season has arrived, and consumers as well as retailers are taking advantage of mobile shopping. As the adoption of mobile apps grows in retail industry, it represents a lucrative new frontier for hackers . ABC News recently reported fake apps masquerading as Ugg, Dillards, Dollar Tree, Zappos and New Balance (watch video).

New York Times reports even Apple’s iPhones have been targeted by fake retail apps, evading much touted scrutiny of Apple reviewers’, masquerading as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

How Do Hackers Get In?

While most companies have done a reasonable job on securing Web applications, mobile applications, in most cases, are being deployed unprotected, thus making it easy to infringe on IP, copy and distribute the applications illegally, and modify the applications for malicious purposes. Trend Micro Research (Fake Apps - Feigning Legitimacy) finds applications are vulnerable to reverse engineering, repackaging, republishing and susceptible to becoming malicious weapons.

Hackers typically target binary code to launch attacks on high-value applications. For those of you who may not be familiar, binary code is the code that machines read to execute an application — it’s what you download when you access apps from an app store. A few easy steps and widely available (and often free) tools make it easy for adversaries to directly access, compromise, and exploit application’s code.

  • Analyze or reverse-engineer the binary, and identify or expose sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation
  • Lift or expose proprietary intellectual property out of the application binary to develop fake / counterfeit applications
  • Modify the binary to change its behavior. For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing it as a patch, crack or even as a new application
  • Inject malicious code into the binary, and then either repackage the apps and publish it as a new (supposedly legitimate) app, distribute under the guise of a patch or a crack, or surreptitiously (re)install it on an unsuspecting user’s device

Tips To Protect Your Mobile Apps, and Prevent Monetary and Brand Damage

Fake and malicious apps only serve to harm a brand’s reputation and revenue loss, in a competitive market where apps are becoming increasingly vital component of retailers’ strategies as they use mobile to drive higher loyalty and spend from their customers. We recommend Retailers to take following measures to prevent hackers from copying and distributing the applications illegally, and modifying it for malicious purposes.

  • Binary code protection is the weakest link in application security. Retail mobile apps must be hardened at the binary level to enable self-defense, tamper-resistant and self-healing measures inside the applications. These measures prevent:
    • Reverse engineering/de-compilation of apps
    • Rooting and Jailbreaking the mobile device
    • Malware insertion
    • Spoofing of apps to access sensitive data
    • Tampering with security controls or sensitive functions
    • Unauthorized access and fraud
    • Unauthorized code modification and Repackaging of apps
    • Intellectual property theft and piracy
  • Android based Retail apps must secure HCE (Host Card Emulation) -based mobile payment solutions with Cryptographic Key & Data protection measures to -
    • Secure cryptographic keys so keys cannot be discovered at any time, and are not present in static form or in runtime memory
    • Protect data at rest, in transit and in use
  • OWASP Mobile Top 10 2016 identifies the top 10 pervasive security risks associated with the usage of mobile devices in all industries, including retail. While all of those top risks need to be taken seriously, appropriate measures for mobile binary code must be taken to mitigate the following risks -
    • M8 Code tampering: Risks associated with binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification
    • M9 Reverse engineering: Risks associated with analysis of the final core binary to determine its source code, libraries, algorithms, and other assets
  • Consider mobile app assessment, which assesses and measures if retail app is exposed to reverse engineering and tampering attacks

Brand reputation, financial transactions, personal data and corporate intellectual property are all at serious risk since they pose lucrative and profitable targets for attackers. It’s time for Retailers to secure their mobile apps, and don’t let hackers to take joy out of holiday shopping!

For securing your mobile payment apps this holiday, please visit this blog.

More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Contact Us