Guardsquare, the mobile application security platform, today announced the release of the company’s Retail Mobile Application Report, which analyzes the level of in-application security protections employed by top mobile retail applications and the business implications of mobile threats amidst the growth in digital commerce.
The coronavirus pandemic has accelerated a trend that has already been on the rise for years: mobile commerce. As consumers increasingly turned to online shopping due to the inability to purchase in-store, businesses ramped up their online mobile presence. In an effort to rapidly meet the high demand for retailers to capture revenue through mobile channels, security concerns were outweighed by the need to quickly bring applications to market.
“While the mobile commerce shift has caused the demand for retail mobile applications to surge, it also has provided an opening for attackers to exploit and pose threats to mobile applications as developers put security precautions on the backburner,” said Grant Goodes, Chief Scientist at Guardsquare. “Cutting corners on security can cause a real risk to retailers, as lacking even the most basic security protections leaves the mobile applications vulnerable and more susceptible to malicious attacks.”
For this report, Guardsquare analyzed more than 50 of the top Android mobile retail applications focusing on seven basic application hardening techniques. Researchers conducted analysis across two categories of application protection techniques: Code Hardening, which defends against static analysis and Runtime Application Self-Protection (RASP), which defends against dynamic analysis and runtime attacks.
- 23% of the retail apps had no security protections
- 63% of the retail apps had one or two security protections
- 14% of the retail apps had three or four security protections
- 0% of the retail apps had five or more protections
Guardsquare’s analysis discovered that the vast majority of retail apps have inadequate levels of security protection. The mobile retail applications generally did not employ sufficient code hardening techniques, which means they are not sufficiently protected against reverse engineering and potential exploitation, allowing adversaries to easily decompile code, execute attacks, and duplicate mobile apps, which can ultimately lead to the exposure of a variety of sensitive developer data, personal customer data, and business revenue loss.
The rise in the dependence of digital shopping is expected to continue to grow with impacts to both retail businesses and consumers. Retail applications handle sensitive customer and payment data and are high value targets for competitive threats from malicious actors who collect personal or financial data from mobile applications to sell or competitors gathering intel or stealing customers from the retailer. By following a secure software development lifecycle process when building and updating mobile applications, implementing a layered approach to security, and employing mobile threat intelligence tools, mobile applications can protect against adversaries who present potential risks for mobile app security.
Guardsquare is the global leader in mobile application protection. More than 650 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications hardening them against both on-device and off-device attacks. With the addition of ThreatCast, its mobile application security console, Guardsquare offers the most complete mobile security solution on the market today. Guardsquare is based in Leuven, Belgium with a US office in Boston, MA.