Retail Industry
MOBILE SECURITY
BRIEF
Retail Industry
BRIEF

Keeping Online Shopping Safe
Mobile commerce accounted for 23 percent of the money spent on online U.S. retail shopping (retail e-commerce) in Q3 2017, up from 16 percent in the same quarter of 2015. Look no further than the struggling local mall for evidence of how much consumers love to shop online. It’s no fluke that Amazon’s Jeff Bezos is the world’s wealthiest individual.
Retailers are catering to their customers with online apps, websites and omnichannel marketing. Online ads and social campaigns have their own benefits and drawbacks, including fraud and impersonation, but the real security risk lies in branded apps. No matter how securely your apps are built, the cyber hygiene of your end users’ mobile devices is out of your control. Users are notoriously lax about cyber hygiene, and may be even more so when it comes to everyday purchases (compared to fintech or healthcare transactions).
Mobile shopping has been wildly successful in part because it is fun and instantly gratifying. But the potential consequences of unmanaged mobile devices are serious business. Retailers stand to lose precious dollars and see narrow profit margins erode if customers decide it’s not safe or worth the hassle to shop on their smartphones and tablets. Impulse purchases, convenience ordering of groceries and household sundries, and social media-linked transactions are particularly dependent on smooth and easy mobile shopping.
Moreover, mobile apps play a vital role in driving in-store purchases by way of targeted promotions, local inventory confirmation, and pre-purchase research. Shoppers spend double the time on retail sites from their mobile devices compared to desktop viewing.
The threat of public breach notifications, penalties, reputational damage, and operational outages are at the forefront of retail industry challenges. The EU’s GDPR privacy rules (effective May 2018) have introduced further complications to data management processes, with significant penalties at stake.
After many years of high profile breaches and exposure notices, consumers are weary and wary. Cautionary tales abound — breaches of POS systems and websites at Target, The Home Depot, eBay, and countless others have put shoppers on notice and kept many from adopting mobile payment options. While these may not be app-related breaches, the erosion of trust impacts all channels, making it harder to retain current customers and attract new ones.
The takeaway is the same — hackers target lucrative payment information, especially large, poorly protected pools of PII (e.g., customer credit card records). There are so many points in a mobile transaction that cybercriminals can exploit — the buyer’s device, the retailer’s system, the branded app or advertising, the payment network, and the credit card issuer. In the end, users affected by breaches won’t know or understand root causes, but the highly visible retail brand is most likely to feel the customers’ wrath.
Can your customer pay for purchases through your mobile app? If so, hackers can access credit card information and additional PII. This could result in hackers gaining unsecured access to customer accounts and potential financial loss from those accounts. Determining liability in these cases is tricky, but if your brand is on the app, customers who have been harmed will blame you.
Can customers download coupons through your mobile app? If so, you could take a financial hit if the coupon content is changed. Depending on the type of coupon, the hacker may be able to access your supply chain and network through an ERP system.
Can customers save their personal information within your mobile app? If so, this PII is potentially at risk. It may contain financial information, home address and phone number. Hackers can use this information to commit fraud, identity theft, and even in-person crimes like home burglary, if the PII yields insights into family life, work schedule, or vacation plans.

Why is it so challenging to secure retail mobile apps?
Mobile device management solutions (MDM, EMM) are device-centric and so cannot provide any control over the devices belonging to end-users of an m-commerce app. Those unmanaged endpoints run the app’s executable code, and that code can be accessed and altered by a compromised operating system. The executable code for web applications and services resides primarily on enterprise systems, and can be protected and monitored accordingly. Mobile app code resides primarily on the mobile device itself.
Without a solution like HackGuard, the executable code of mobile apps cannot be monitored, protected, or remediated. There’s a rule of thumb for public-facing apps that might surprise any retailer new to the app publishing business. Let’s call it the 200 Rule: The typical organization with 1000 employees can assume they have around 200,000 public app users. That’s 200,000-plus smartphones, tablets, and notebooks over which you have no control. (And given the capriciousness of retail trends and consumer crazes, those numbers could surge unpredictably.)Until you have detailed information about the health of the environments your app is operating in, your attack surface is expansive and your security team is blind.
Of course clean, secure-by-design app development is important. The good news is, that part is under our control and developers keep up with security requirements. Even when the developer has done everything right, the app can still be vulnerable. There are approximately 3000 open vulnerabilities in Android and iOS. As we know, any security that depends on users’ cyber hygiene and patching practices is bound to fail. Moreover, it’s all too easy for hackers to reverse engineer apps. The same goes for malware development — hackers can even buy exploit kits on the Internet.
Mobile antivirus is incapable of even accessing an app’s executable code. AppVision researchers have white hat hacked widely used retail apps in order to further analyze the dynamics of mobile app security environments. They observed that none of the tested antivirus products generated alerts or warnings, having failed to detect the compromise to the app’s executable code. HackGuard was consistently successful in detecting and responding to these same attacks.
Advanced malware exploits are designed to deliver a payload that doesn’t detonate immediately. In order to inflict maximum damage (and reap the most bounty possible) upon activation, malware uses “dwell time” (the period from initial intrusion to detonation) to establish command and control, test system defenses, and spread to further devices. Ponemon Institute’s 2017 Cost of Data Breach Study pegs the average attack dwell time at 257 days (191 to identify, 66 to contain).
Far too often, due to lack of visibility, the retailer doesn’t know the detonation has occurred and that data and credentials are being stolen. Traditional cyber security methods are unable to detect the malware because the activity is coming from a known (but compromised) mobile device, not from an unknown source that can be traced back to a suspicious IP address or pattern of hacker activity.
After a vulnerability or attack has been detected, app developers often waste time trying to find a flaw in the app, or developing and releasing new versions. There are multiple issues with this remedial approach. To start with, new versions of the app would have to be released as mandatory upgrades because end-users are notorious for ignoring update recommendations. Then there is the fact that hackers are watching for updates and can likewise quickly update their malware based on what they learned from the first stage of the attack, leading to even more damaging exploits.
Retailers and mobile payment processors have no access to an end user’s compromised device; they can’t do forensics in order to the get to the root cause, and so the vicious cycle continues. AppVision’s HackGuard turns a repeating APT cycle that continues over several months into a simple, quick solution process, at the end of which losses have been avoided, and the event is ended with finality.

How can HackGuard help retailers protect their business and their customers?
No matter where they wander in the world, your mobile apps can be made hack-proof with HackGuard technology and professional services. With an app-centric focus, this SaaS solution is purpose-built, affordable and easily implemented by any type of retail brand (including entertainment, dining, and hospitality brands) that provides mobile apps for its customers.
HackGuard is an Endpoint Detection and Response (EDR) solution designed specifically to protect mobile app executable code and provide deep discovery of an app’s operating environment. It is threat-vector agnostic, meaning it can protect against all types of attacks, including Zero Days.
Think of HackGuard as a guardian angel, lightly sitting on the shoulder of your mobile app, keeping it safe wherever it may wander. With HackGuard, you can deploy comprehensive protection in just minutes, and begin detecting attacks immediately.
Hackers are more evasive than the most skilled of shoplifters. It’s hard to tell where they came from, what they grabbed, and where they’re going with it. HackGuard sends all the device and app data it collects to a secure cloud portal, through which granular reporting tools are provided. Each AppVision customer is provisioned with its own separate, securely encrypted database. A unified dashboard provides trend graphs, app activity gauges, install/launch charts, rolling reports, and detailed demographics for your installed app base. Datagrids are sortable and searchable. Alerts can be controlled through trigger and threshold settings.
With this kind of visibility, retail businesses can protect their app, their systems, and their customers by conducting rapid attack vector analysis. And most powerfully, with the granular attack data provided by HackGuard, it is easy to track the device characteristics that are being targeted and identify the users most at risk of compromise.
Other mobile app security products inject foreign code or wrap protective code around apps. App developers are wary of these approaches: they require significant effort to implement, can interfere with app functionality, and can even break the app. The act of injecting anyone else’s code, even from a security solutions provider, effectively increases an app’s attack surface. While developers may have complete control over their own code, they cannot exert the same control over injected code, which makes a prime target for hackers seeking to do widespread damage.
AppVision’s HackGuard employs a different, innovative approach — requiring no injection, no SDKs, no need to touch multiple components of the app. In fact, HackGuard can be enabled for an app in under a minute on both Android and iOS.
HackGuard is mobile app security that works all of the time, on every device, and against all kinds of attacks. When your brand is on the line and your customers are ready to click the buy button, make sure HackGuard keeps your app safe for shopping on the go.