It is estimated that over 50% of shoppers globally, will use mobile phones to do all their online shopping by 2019. With more and more devices connected to the internet every second, it is absolutely imperative that e-commerce businesses account for security as a top priority for both customer delight and business success. A very integral part of security is to get educated about the different threats out there and how they could affect both your customers and your business. Get educated about the different vulnerabilities in m-commerce apps and help get your business secured proactively.
At Appknox we test multiple mobile applications every day from different industries such as payments, government, financial institutions, gaming, e-commerce and much more. We took a look at all the e-commerce apps we’ve tested over the years and found four common mobile app vulnerabilities in m-commerce apps. Let’s take a look at them and help you as a business understand the implications if your mobile app is found with these vulnerabilities.
1. Unprotected Export Receivers
Imagine you wanted to wire money to your friends or family, but an unknown stranger receives your money instead? Or, you purchased new clothing with a mobile payment system, and start experiencing a small amount of money that keeps leaking from your bank account to unidentified merchants? It's happened to me and I could never tell why. At least not till I spoke with some experts to find out that this is possible when your app's Export Receivers are not protected properly. Android apps export receivers, which respond to external broadcast announcements and communicate with other apps. For instance, when Receivers are not protected hackers can modify apps’ behavior as they wish, and insert data that doesn’t belong to apps.
This threat is rated a dangerous 7.0 on the CVSSv3 scoring system and could allow Attackers to use non-privileged services to intercept and track a user's activity. Furthermore, it may be possible to insert data that may maliciously modify the behavior of the application according to how they program it.
2. App Extending WebViewClient
If you have ever had the feeling that the mobile web browser you are using isn’t quite right, but you cannot place it. It may be an insecure hacked Web Viewer. When WebViewClients are not correctly protected in-app extensions, hackers can trick users into inputting sensitive personal information in fake or copied apps, resulting in loss of user data, damages and SSL compromising. When an SSL communication channel is compromised, hackers can gain access to a web server, which often stores classified information. It is common for many developers to save more confidential and sensitive data on web servers rather than apps. Since most apps continuously communicate with web servers, leaving WebViewClient unsecured means exposing web servers to external threats as well.
This threat is rated 7.1 on the CVSSv3 scale and is deemed to be a high-level threat. You want to make sure your team is aware that the default handling of WebViewClient should handle the onReceivedSSLError properly. This is even capable of breaking certificate validation. If proper implementation of SSL is not used, sensitive data may leak from the vulnerable SSL communication channel. Trust me, you definitely don't want that happening to your business.
3. Unused Permissions
Apps need permissions from users to provide optimized services. Often one app needs multiple permissions for multifunctional purposes to increase user experiences. But, with too many permissions, it can decrease user satisfaction as well as protection.
For example, a shopping app asks for permissions to access your device’s camera, contacts, and music? That is unneeded and dangerous to app security. However, it is essential to think about what permissions are actually necessary. Asking for too many permissions that are not used for app operations can put users at risk.
When enough security measures are not applied to apps, hackers can manipulate unused permissions to get to the sensitive information. Adding security starts with minimizing ways of compromising data and user information.
Although this threat only ranks 2.3 on the CVSSv3 scoring system, it is still a vulnerability that is like a gateway for plenty of other attacks that hackers may plan on your app. From our experience working with mobile apps, it is often the little things that cause the biggest blunders for businesses. So we'd suggest actively fixing the permissions you ask your users.
In other instances, users may not download your app when presented with a long list of permissions. Imagine a flashlight app requesting access to SD card, camera, contacts, SMS and more. This is an invitation to poor ratings and reviews on App Stores. This also breaks industry compliance standards.
4. Unprotected Exported Activities
Hackers can use unprotected exported activities to copied or jailbroken apps and intercept and track users activities and data for other hacking attacks. That is why, on a daily basis, there are millions of copycat apps stealing user information like usernames, password and personal information and more. Activities are executed via authorized access. When an Activity is exported with no protection, it can be remotely launched outside of apps. This may allow hackers to gain access to sensitive information, modify the internal structure of the applications, or deceive a user into communicating with the attacked application while believing they are still interacting with the original application.
This threat is rated 7.0 on the CVSSv3 scoring card and yes, it is highly threating in nature. In case the Android application exports Activity for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. Make sure your team is aware that attackers may use non-privileged services to intercept and track the user's activity. Furthermore, it may also be possible to insert data that may maliciously modify the behavior of the application.
There you have it four of the most common vulnerabilities in m-commerce apps. If you would like to find out if your e-commerce app contains these vulnerabilities, Try Appknox for FREE! Appknox is giving away a FREE 14-day trial (no hidden costs) for you to test your app and secure it. Find out if your e-commerce app has these four vulnerabilities or other vulnerabilities from our list of 50+ commonly exploited test cases.