We're Hiring!

Securing m-Commerce Apps

Mobile e-commerce security concept - man in blue suit holding mobile with abstract infographic HUD

Anyone looking for a snapshot of how the COVID-19 pandemic is fuelling an e-commerce boom need look no further than Shopify’s recently released Q2 2020 financials. The platform witnessed a 71% jump in new store creation compared to the previous quarter this year. Every leading performance indicator was up in high double, or even triple, digits compared to Q2 2019 including sales (97%), gross merchandise volume (119%), merchant solutions revenue (148%), and adjusted per-share earnings (950%).

The current e-commerce boom, analysts predict, will be lasting.

M-commerce eats E-commerce

The current boom notwithstanding, the e-commerce share of global retail sales was just a smidgen over 14% in 2019 and is projected to grow at about 2% per year to reach 22% in 2023. However, there is a sub-trend that is growing at a much faster rate than e-commerce.

Analysts estimate that by 2021, nearly 54% of all e-commerce sales in the U.S., and 73% worldwide, will happen on mobile devices. And the current crisis has served to further highlight the potential dominance of mobile in digital commerce.

 

Salesforce bar graph of e-commerce traffic growth

Image Source: Salesforce Q2 2020 Shopping Index

According to a quarterly Global Shopping Index report from Salesforce, global e-commerce revenues in Q2 2020 jumped an unprecedented 71% driven by historic increases across multiple metrics including traffic (+37%), conversion (+35%), and spend (+34%). Tracking this growth by device, i.e. computer and mobile, the study found that m-commerce significantly outperformed e-commerce both in terms of number of visits (46% to 34%) and number of orders (56% to 37%.)

Mobile has been evolving into consumers’ channel of choice for a range of personal and professional transactions well before the current crisis. Specific to retail, this evolution has manifested itself as significant year-on-year increases not only in shopping app downloads, 20% between 2018 and 2019, but also time spent in these apps, as high as 70% in certain markets. Together, these trends correlate conversions, both online and in-store.

More pertinent, however, is the fact that m-commerce apps are no longer merely about transactions or conversions. Today, mobile is central to all aspects of online shopping including research, consideration and fulfillment.

Given all this, it is no surprise that even brick and mortar retailers are increasing their focus on mobile engagement and, according to the most recent State of Mobile report from App Annie, often outpacing digital-first apps.

Mobile has quickly become the keystone to success for both offline and online retailers. However, despite their expanding consumer acceptance and increasing sophistication, m-commerce apps still present several challenges that need to be addressed.

Key challenges in mobile commerce

 

Statista bar graph of e-commerce conversion rates on different platforms

 

Image source: Statista

Notwithstanding their increasing popularity among consumers and retailers, mobile shopping apps still present a host of challenges. For instance, mobile shopping apps’ performance across key metrics such as conversion and abandonment in comparison with their desktop alternatives. While the average desktop conversion rate is about 4.14%, the comparative rate for mobile is at 1.82%. Similarly, mobile shopping apps have a much higher abandonment rate (85.65%) when compare to desktops (73%) or even tablets (80.4%)

Retailers are searching high and low for new and existing concepts to improve conversion rates, many of them focused around improving the customer experience on mobile. Guest logins or no login are also becoming a popular way for retailers to minimize friction and enhance the shopping experience consumers.

Security, however, remains the biggest challenge for m-commerce apps. A 2019 study of 250 popular Android apps revealed that retail apps were the worst offenders when it came to exposing PII (Personally Identifiable Information) with 82% of brick-and-mortar apps and 92% of online apps putting users at risk of fraud and identity theft.

API security for m-commerce apps

There are several ways in which mobile shopping apps can be compromised. Take APIs, for instance, which are widely used to enable mobile apps to interact with back end services and information. Any API that is open to browsing can be scraped for valuable data, both by threat actors and the competition. And there are several ways in which these APIs can be abused. Given the desire to minimize customer login friction, m-commerce channels are amongst the easiest to attack.

Threat actors could simply download the app to study API interactions and reverse engineer the capabilities. Automated bots and data scraping systems that are virtually immune to traditional perimeter defenses can harvest PII wholesale by mimicking genuine API requests. Automated credential stuffing attacks targeted at APIs can be used to attempt malicious logins to mobile applications. Hackers can initiate MiTM attacks by intercepting mobile API traffic to extract credentials and PII. They can also create malicious apps that mimic popular alternatives in order to harvest sensitive data or to commit fraud. Or attackers could simply destabilize or completely shut down a mobile app by flooding the API with large volumes of requests. Above and beyond all this, there is the real risk from devices being shipped with pre-installed malware and those originating from mobile app stores.

Though standard approaches to API security, such as API keys, user authentication tokens, and TLS encrypted channels, are still important, they may no longer be enough to address the scope of the threat. Fortunately, there are robust solutions that, combined with current security best practices and standards for the design and deployment of mobile apps, can address many of the API-related scenarios discussed here.

A sophisticated mobile app attestation solution can provide end-to-end security for all types of API abuse. These solutions can ensure that only traffic from unaltered, pre-registered apps is allowed while automatically filtering out traffic from tampered and repackaged apps. They provide protection against automated API scraping by blocking any unauthorized attempts to extract data. And they can protect 3rd party API keys against reverse engineering and abuse.

Summary

Predictions are that by next year nearly three-quarters of all global e-commerce traffic will come from mobile devices. And APIs will play a central role in enabling retailers to add key functionalities and features that streamline user experience into their mobile apps. With APIs emerging as a preferred attack vector, a vulnerable API represents a real threat to a retailer’s profits, reputation, and viability. Any shortcomings in app security can turn this valuable channel into the weakest link in a retailer’s e-commerce strategy. However, it is possible to create a comprehensive and foolproof security model for shopping apps by blending conventional security best practices with state-of-the-art solutions to secure mobile APIs.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.