As the holiday season approaches, retailers have readied their websites and mobile apps for an onslaught of online shoppers eager to snap up Black Friday and Cyber Monday merchandise. However, a NowSecure benchmark analysis of leading mobile shopping and deal finder apps reveals many have serious security and privacy flaws that could jeopardize customer data.

NowSecure analyzed the cybersecurity risk level of 52 publicly available retailer and deal finder mobile apps available in the Apple® App Store® and Google Play™. To select the mobile apps to test, we leveraged app analytics provider Apptopia’s list of the top 20 U.S. retail mobile apps from September 2018, plus we added a few popular deal-finding mobile apps likely to be used during post-Thanksgiving Black Friday and Cyber Monday sales events. NowSecure tested Adidas, AliExpress, Amazon, Best Buy, BuyVia, CVS, DHGate, Dollar General, eBates, eBay, Flipp, Forever 21, Groupon, H&M, Home Depot, Kohl’s, Lowe’s, Nike, Sephora, ShopSavvy, Shopular, Target, Victoria’s Secret, Walgreens, Walmart and Wish.

Overall, we found that 17% of the Android and iOS apps have medium and high risk vulnerabilities such as attempts to run as root (security disabled), leaked sensitive and personal data, unencrypted data transmission, and use of known vulnerable third-party libraries. Only 27% of the mobile apps evaluated in our benchmark carry very low or no risk.

Those results are concerning given the prevalence of mobile shopping and its importance to retailers. The National Retail Federation reported that 81 million U.S. residents shopped online on Cyber Monday in 2017, as compared to 66 million on Black Friday. And last year on Cyber Monday alone, online sales reached a record-setting $6.6 billion. Roughly $1.4 billion of those purchases were made via mobile phones, and tablets garnered about $600 million, according to Adobe Analytics.

With mobile accounting for nearly half of online sales throughout the year, many digital-centric retailers should take steps to better secure their mobile apps and preserve customer trust in their brands.

The Good, Bad and Ugly

Using the NowSecure automated mobile app security testing engine, we analyzed 26 Android and 26 iOS most popular retail and deal finder apps for security vulnerabilities, compliance gaps and privacy exposure. We determined a grade using industry-standard CVSS scores while mapping findings to the OWASP MASVS.

The NowSecure Score Risk Range is a scoring algorithm based on count and score values of all CVSS findings, the industry-standard method for rating IT vulnerabilities and determining the level of risk exposure. On an overall risk range of 0-100, apps scoring lower than 60 present a high degree of risk, apps in the 60-80 range require caution, and those scoring 80 or above are deemed low risk.

Overall, the median score of all the mobile apps we analyzed was a cautionary 79 risk rating — 78% for Android and 79% for iOS. Of the 27% of retail apps that scored above 80 on the NowSecure Risk Range, 15% were Android and 38% were iOS. In addition, 93% fail one or more of the OWASP MASVS, a de facto security standard.

As shown in the bar graph below, the benchmark shows that the NowSecure Security Risk Range for these retail and deal finding apps spans a low of 6 to a high of 97, revealing a wide variation in the cybersecurity posture of these apps.

The two charts below plot the overall NowSecure Risk Score based on CVSS findings (on scale of 0-100) vs count a count of CVSS scored findings for the Android and iOS apps. The results show that four Android apps (Android first plot below) and five iOS apps (iOS second plot further below) failed because of critical and high risks.

A review of the benchmark findings shows the most common issues we encountered were insufficient keysize, leaked data, improper use of cookies, and lack of proper secure certificate use. The worst failures were attempts to run as root, sensitive data leakage, certificate validation failures, world readable/writable files, and unencrypted data transmission over HTTP.

This benchmark underscores the challenges developers have in building and testing secure digital retail mobile apps. Developers and security teams that need to quickly deliver secure mobile apps should integrate automated mobile dynamic application security testing (DAST) into their dev pipeline.

For a limited time, mobile app security and development teams can get a free trial of the NowSecure automated test engine that provides instant access to NowSecure Mobile App Risk Score and detailed findings with CVSS scores, issue descriptions, compliance mappings, privacy details and more.

What to read next:

Amy Schurr

linkedin icon twitter icon

Content Marketing Director

Amy Schurr is content marketing director for NowSecure. A former B2B journalist, she has spent her career covering technology and how it enables organizations.