RISKS OF SHOPPING WITH MOBILE APPS THIS SEASON
The holiday season means increased use of mobile devices and apps for shopping. Mobile shopping apps deliver real-time notice of deals as well as the convenience of shopping from anywhere. But, as with any mobile apps, it’s important to consider the tradeoff of convenience and security.
Many consumers are unaware of the risks to their privacy and data that use of mobile shopping apps may entail. The Appthority Enterprise Mobile Threat Team makes its enterprise customers aware of these risks which also impact the corporate environment as employees use BYOD devices to shop from work or while on the road.
Using the Appthority Mobile Threat Protection engines we analyzed almost 40,000 unique iOS and Android shopping apps and identified hidden risk on apps frequently found on employee mobile devices.
RISKS TO USER DATA
Many shopping apps are not adequately protecting user data by sharing far too much information without encryption. Specifically, we found:
- 68% of shopping apps are transmitting data unencrypted
- 11% share sensitive data without encryption (such as transmitting the user’s log-in credentials in the clear and transmitting the user’s address book to third parties)
- 21% share Personal Identifiable Information (PII) such as device name or ID with third parties
- In over 3% of the apps, developers purposely disabled SSL validation, which exposes the apps to potential man-in-the-middle (MiTM) attacks
These kinds of issues were not only present in lesser known, poorly built shopping apps. Some major retailers also made the list of worst offenders. Here are a few examples that caught our attention:
Disables SSL Validation:
SSL certificate verification is disabled for a backend process that enables voice searches via the device’s microphone with Amazon. While this is a helpful feature, it’s implementation creates a vulnerability to the voice data being accessed via a man-in-the-middle attack.
The app sends PII (the UUID, Device Name) and location to a few servers via encrypted connections, the app doesn’t use the best practice of SSL Pinning to fully protect the data from man-in-the-middle attacks.
Disables the SSL CA Validation to “https://www.walmart.com“. This is worse than not using certificate pinning because it “turns off” the encryption and can be easily intercepted via a man-in-the-middle attack.
Sends credentials in Clear text:
- Barneys New York for iPhone
This app does not encrypt crucial traffic such as that containing user credentials. This gives any bad actor or app sniffing the traffic access to user credentials which can be used to log into the shopper’s account and which could also yield access to the user’s home address and financial information. Further, if the victim uses the same password on critical servers at work, this app’s encryption gap could expose the enterprise to a major breach.
Sends Address book:
- AT&T Code Scanner: QR,UPC & DM
While many shopping apps might have a legitimate reason to access a user’s address book (find his/her address, find a friend’s contact info to invite them to the app/service) apps do not need to export the address book from the device for any critical app function. This practice is usually to share contacts with third parties for marketing purposes and it puts the user’s data and the privacy of all their contacts, at risk. Furthermore, since an address book is likely to contain work contacts, an address book intercepted by a bad actor could expand the number of spear phishing attempts aimed at the enterprise.
Sends Sensitive Data Unencrypted:
Toys “R” Us Shopping
This app sends PII (including the The Device ID (IMEI or Device ID) and MAC address) and sensitive data unencrypted overseas to the UK and is therefore a threat to privacy and enterprise security. It’s highly unlikely that the device ID or MAC address is required for the shopping application, and it’s extremely careless to send it unencrypted. Loss of privacy due to PII leakage is potentially serious as it could lead to identity theft, or it could inform a spear phishing attack against the user’s employer.
HOW TO SHOP SAFELY
Avoid public Wi-Fi networks when using shopping apps
As we’ve seen, apps are not always properly encrypting sensitive data – which may include personal and financial information which could result in fraud or identity theft, or an enterprise spear phishing attack or other exploit if in the wrong hands. So, when shopping from a coffee shop or airport, don’t use the free public Wi-Fi connections in which someone could be “sniffing” the traffic to intercept unprotected sessions and result in your data being exposed. Instead, use a secure Wi-Fi like at work or home, or better yet, use your phone’s 4G/LTE network for shopping and other financial transactions.
Be Thoughtful About Granting App Permissions
Apps ask for permission to access a variety of data and functions on your device. Consider whether it makes sense for a shopping app to access your address book or microphone. Err on the side of declining permissions since your data is often shared with third parties such as advertising networks and companies who compile profiles using data on you from multiple sources. You can check the permissions for each app by going into “Settings” and then reviewing what is enabled for each app.
Be Password Savvy
Never use the same password across multiple accounts or apps. If one app fails to protect your log-in credentials, and you’ve used those same credentials to access your primary email account or on the job, for example, you’re making it easy to steal your identity and gain access to critical resources at the place where you work.