Mobile Shopping Apps Evaluation Report Raises Security and Privacy Concerns

• Zimperium looked deep inside 60 mobile shopping apps, and the results are worrying, to say the least.
• Most of the apps expose sensitive user data and are vulnerable to reverse engineering.
• Mobile shopping has become prevalent, but consumers aren’t aware of the risks that are involved.

This year’s holiday season is approaching and the Black Friday and Cyber Monday are just around the corner. That said, billions of shoppers are about to purchase goods through the convenience of mobile applications, and crooks know it and are readying their scamming tools. Zimperium, an expert in mobile security has conducted an in-depth investigation on up to date versions of the thirty of the most widely used mobile shopping applications for Android and iOS. The results of this investigation indicate large security and privacy protection gaps, so consumers are advised to be very careful with whom they trust.

The highlights of the Zimperium’s investigation finding are the following:

• All sixty of the analyzed apps are vulnerable to reverse engineering. This means that a scammer could create imposter apps and steal data or money from shoppers.
• 92% of the apps (55) do not secure or encrypt the communications that concern sensitive data. This opens up the risk of a successful man in the middle attacks, and data interception.
• 70% of the apps (42) do not store sensitive data in a secure manner. Malware could potentially tap into this data and exfiltrate it to the malicious actor.
• 48% of the apps (29), all for the iOS platform, are vulnerable to fraudulent transactions through code tampering.
• 97% of Android apps and 83% of iOS apps failed to receive a passing security grade.
• 100% of iOS apps and 90% of Android apps failed to receive a passing privacy grade.

The most critical privacy risks in the iOS were the logging of information into the system console (100% of the apps), ability to screenshot the full user interface (97%), and monitoring the iOS pasteboard (83%). For Android, the most common privacy risks were the insecure provision of content (83%), and risky communications beacon (27%).

As for the security, iOS’s top critical risks were the overriding SSL and TLS chain validation during authentication (100%), implementing swizzling API calls (97%), connecting via HTTP (100%), and using embedded compiled libraries (93%). On the Android apps, 83% enable WebView to execute JavaScript code, 80% allows the spoofing of the app packaging name, and 83% doesn’t validate SSL certificates.

Zimperium isn’t naming the apps they used in this investigation, as the point of the report is to raise awareness, and it does. Consumers are advised to take these findings into account and try to limit their purchases through mobile platforms and prefer other means instead. If you still want to indulge in shopping through your mobile, at least use a robust security solution that will help you detect and stop malicious activities on your device.

Are you planning to buy anything via mobile this season? Let us know in the comments section down below, or on our socials, on Facebook and Twitter.