We're Hiring!

There's a Fake App for That

Fake app concept; lots of app icons above a mobile phone

The well-respected Coach brand stands for authenticity, innovation, and relevance. They are a luxury brand, so you might be a bit surprised to find in mid-October that the Coach mobile app in the iTunes App Store was offering an extra 20 percent off bags, shoes and accessories. Act fast but watch out, because Coach doesn't really have an iPhone app!

Follow the Money

According to Adobe, 2016's Black Friday sales surpassed estimates, coming in at $3.34 billion, a 21.6% increase over 2015. Mobile accounted for $1.2 billion, a 33 percent increase, with three quarters of that on smart phones. Many retailers like Walmart offered exclusive deals to successfully drive more sales to their mobile channels.

Cyber thieves always follow the money, so as mobile sales grow, so do attacks targeting mobile devices. Fake apps are quite easy to spread using social engineering techniques.

To put this in perspective, Amazon had $107B annual revenue in 2015. If fake apps could siphon off even 0.05% of their sales, that would be more than $50M in lost revenue.

A survey by Trend Micro showed that almost 80% of the top 50 free apps available in Google Play had fake versions, rising to 90% when limited to shopping apps only.

There's significant money in the mobile channel and lots of fraudulent apps vying for it.

Fake Apps Have Real Consequences

Many fake apps are repackagings of existing apps. Fake apps may add extra advertising or redirect ad revenue. If a user provides legitimate credentials, valuable customer info can be stolen, premium charges can be run up, and additional malware can be loaded onto the device. Fake apps may even go as far as fulfilling orders with counterfeit goods. Consider this 1-star review of a fake Dillard's app:

Ads? Really? I can't even browse without an ad popping up every other click. It's ridiculous. You'd think this is some low end app made by a teenager to make some cash. Come on Dillard's. You can do better.

Shoppers do not understand why their favorite retailers are letting them down. Poor customer experiences lose not just the immediate sales, but brand reputation and future sales as well.

As a retailer, don't think you're safe if you don't have a mobile app; that just means the fake apps have no real competition. Dillard's didn't have an app of their own.

Protect Your Brand!

As a first step, make sure you provide a legitimate mobile app which can be downloaded directly from a trusted source such as your website. Monitor your apps and their reviews in applicable app stores.

Fake apps must gain access to your back-end infrastructure, either during operation if repackaging your application, or up front if scraping enough information from your back end to build up a complete impersonation of your storefront. While user authorization techniques such as oauth2 help protect your users, they do not prevent access to your back-end infrastructure. API keys can be used to validate back-end access, but if they can be reused or easily stolen, then you cannot invalidate them without shutting down your legitimate app as well.

Best practices in mobile security to protect back-end access do not rely on static secrets within the app nor do they use long-lived access tokens. The Approov attestation service is an example of this type of protection. Once implemented, any repackaging of your legitimate app will not be recognized by your back end. Even if a customer's user credentials are stolen, a fake app will not be able to access your back end to exploit those credentials.

With this protection in place, the only avenue left for a cyber criminal is to completely impersonate your app. This means that all information, such as your product catalog and pricing, must be completely scraped before the app is released. Since the only way to access your back end is through your legitimate app, then attempts to systematically scrape your information will be more easily recognized by existing rate-limiting and behavioral analysis security tools. Make the bar high enough and criminals will look for other targets.

By 2018, mobile shopping is expected to generate the majority of retail sales. There are enough challenges to the mobile shopping experience; don't let fake apps be one of them.

Skip Hovsmith

- Senior Consultant at Approov
Developer and Evangelist - Software Performance and API Security - Linux and Android Client and Microservice Platforms