Retailers may not need reminding that last Autumn cyber criminals smuggled hundreds of fake shopping applications into Apple’s official app store.

But how many retailers are confident they will not fall victim to another shopping app Masquerade?

Protection of mobile apps poses much greater challenges than protecting web apps, because the application code has to be released “out into the wild”.

Mirko Brandner, Technical Manager, Arxan Technologies, comments on this critical issue:

“Besides traditional shopping websites, many vendors focus more and more on mobile retail applications that allow their customers a fast and easy purchasing process via their smartphone, and in doing so react to the increasing popularity of mobile computing. For example, at least 75 per cent of the consumers in Germany use their mobile devices for shopping according to a survey of Opera Mediaworks.

But the real pioneer in terms of retail apps is the USA: By now online customers in the US prefer shopping apps to traditional websites, which has caused Apple to provide its app store with a category especially for retail apps. Even in Germany, Austria and Switzerland, 70 per cent of the big online retailers already offer mobile shopping apps. The traditional retail sector has to go along with this.

Fraud model shopping apps

However, this mobile optimisation of the retail sector does not come without its risks. For cyber criminals and hackers mobile retail apps are another profitable target that open the door to stealing sensitive personal information or account details, to manipulate purchasing processes or to steal intellectual property. Last autumn, some Apple users already had to experience how real this threat is. Christmas shopping season had just started when some cyber criminals managed to smuggle hundreds of fake shopping applications into the official app store – passing all security controls. These apps were masquerading as official retail apps of renowned brands like Nike, Adidas, Foot Locker or Christian Dior, but some of them were quite dangerous. While the more harmless versions were bombarding the unaware users with advertising, more harmful apps were aiming for the users’ sensitive credit card data.

The attack method

Unlike the protection of web applications which companies have largely under control, the protection of mobile apps against tampering and reverse engineering pose a much greater challenge. This is due to the fact the application code must be released “out into the wild”, i.e. in unregulated and potentially harmful environments. The binary code is the app´s Achilles’ heel and is therefore a very attractive target for hackers. If the binary isn´t protected actively, it is prone to modifications and other types of tampering that compromise the app´s integrity. Attackers can reverse engineer and analyse the code and in doing so locate sensitive stored data such as credit card information, or manipulate transactions that are processed via the app. Furthermore, there is the danger that hackers will steal lucrative intellectual property and use it to release illegal replicas or malicious fake apps.

Secure development and constant protection

In times in which mobile apps are playing an important role in deepening customer loyalty and driving revenue generation, cyber-attacks can have fatal consequences – from financial losses to indemnities or reputation damage. It is thus all the more important that companies keep an eye on the security aspect from the very beginning when establishing their mobile shopping offerings. In concrete terms, this means that mobile apps need to be hardened on a binary level and equipped with Runtime App Self Protection (RASP) capabilities. With this sort of preparation, the app is able to protect itself against tampering and reverse engineering – regardless of the type of device, environment, at rest, in transit or in use. Android based retail apps additionally have to secure HCE (Host Card Emulation)-based mobile payment solutions with cryptographic key & data protection measures to secure cryptographic keys and prevent non-authorized access.

Besides formulating the concrete benefits of mobile shopping apps, companies have to increase their customers´ trust in the security of the apps. For this purpose, vendors and developers should spare no effort to proactively protect their apps against cyber-attacks and to communicate this protection openly.