This blog covers the top security challenges facing super apps.
“Super Apps” are all the rage these days. Every major mobile brand seems to be building Super Apps – including Google, Amazon, Paypal, Spotify, Uber, Instagram, and even Walmart. These supersized aggregator apps all have one goal – to provide you with the mobile app equivalent of “one-stop-shopping” or a “mobile shopping mall” at the tip-tap of your finger.
What are the cybersecurity risks in building and using Super Apps? How do developers that build and security teams that protect Super Apps ensure end-user safety, security and privacy when using Super Apps?
I will try to answer all these exciting questions in this blog. Ok, let’s get going.
What are Super Apps?
Super apps are Android and iOS applications that function as platforms and seek to unify multiple mobile app services into one common interface, sometimes through an ecosystem of different providers whose components are all integrated into one seamless mobile experience. The New York Times characterized super apps as the “Swiss Army knife of apps”. Super apps offer a range of services such as social media, shopping, mobile payments and financial services, entertainment (streaming music or movies), rideshare, travel booking, and even healthcare in a single place.
Makers of super apps are in an all-out arms race, attempting to combine as many related services into a single app as possible. For example, in the Fintech space, PayPal’s super app will include loyalty points management and redemption, mobile payments, Buy Now, Pay Later (BNPL), as well as in-app shopping and deals. Insurtech players like Alan (not me) are also getting into the Super App game as well, as Telcos and content providers who offer super apps for all kinds of media, streaming and communication services in one app.
Major brands consider super apps an extremely important piece of the puzzle to win over the hearts and minds (and wallets) of younger generations – like the digitally-native Gen-Z, who use super apps for a majority of their day-to-day needs. Super apps are already very common in Asia, led by Grab, Gojek, Paytm, Wechat and AliPay. In LATAM, there’s Rappi, Mercado Libre, Magalu, and Baz – just to name a few. In EMEA, there’s Yandex and Lydia. In the U.S. many gig economy apps have jumped on the super app bandwagon – including rideshare apps (Uber/Lyft), delivery apps (Instacart/Doordash), travel apps (Expedia/Airbnb), and entertainment apps (Spotify/Netflix). Every one of these powerhouse brands aspires to become dominant super apps by combining a mix of related services into a single app. So yeah, super apps are kind of a big deal. I mean if Willy Wonka had a mobile app, he’d surely be a super app!
Top 5 Challenges Facing Super App Developers & Security Teams
Super apps sound great for consumers, right? But, from a cyber-security perspective, protecting Super Apps and the people that use super apps isn’t easy. On the one hand, the makers of super apps believe that the key to driving higher engagement, customer loyalty, and ARPU growth comes from presenting the user with related services inside a single app experience. Can’t argue with that. On the other hand, to achieve that, super apps have to integrate and allow an unprecedented level of third-party components – like BNPL, Deals, Loyalty, or P2P market-buying functions – inside the app to operate in whatever way that component is designed to operate. Uber says it all below with their recent announcement about relying on many other 3rd party providers for major parts of the super app.
As a cyber-security professional, this makes you cringe. This means that the exploitable attack surface inside a super app is much larger than a single-purpose app. In a single-purpose app, the developer (and the security professional) has full control over the workflows, APIs, network calls, read/write functions, etc. In a super app, more of these basic functions are left to 3rd parties and components that weren’t necessarily designed to work together. And that usually translates to a greater risk of leaking sensitive data, excessive exposure of APIs, security misconfiguration, all of which can cause real headaches in protecting users and revenues.
Let’s explore some of the most common cyber-security challenges in protecting super apps.
The Leaky Bucket Problem of Super Apps
Let’s assume you have an app that does it all. Awesome. But, for that app to work, the user has to enter a lot of data and the app has to connect to all kinds of external services, far more than a stand-alone app. The functionality of, and data collected and used by, a super app can often extend way beyond a stand-alone app, and the developer of the super app may not have full control over how the “other” elements in the apps, i.e., the mobile payment, P2P lending, money transfers, mobile wallet, deals, redemption, and other functions store, share, protect or transmit personally identifiable information (PII), transaction data, payment, and health-related information, user behaviors, preferences, brand and provider affiliations, and much more. Exploits can occur at the intersection of all of these services as well as in the connection between these services and their cloud servers. Data protected by one element could quickly be undone by another element in the same app. This leaky bucket needs to be addressed by enforcing one comprehensive standard for data-at-rest protection, data-in-transit protection, anti-debugging, anti-hooking, and anti-instrumentation in the super app.
Using One Consistent Security Model Inside a Heterogeneous Super App
Think of a super app like a big pot of seafood gumbo, in which each component launches, connects, writes, reads, initiates, originates or terminates using a heterogeneous “pot” of technologies, standards, protocols, methods, data formats and storage types delivered in a single app to the mobile end-user. In the arms race to get more new offerings and mobile services into the super app, developers and security professionals may not have the time, expertise, or controls to accept only those components that are compatible with their chosen security model. To put it simply, Super Apps are incredibly hard to protect using one protection model, because the developer and security team has to manage a complex compatibility matrix, trying to match protections with source code (programming languages) and 3rd party components in the app, all with limited control over the underlying technologies used by 3rd parties. Security usually suffers, unless the developer and security professional can adopt an agile security product capable of protecting all frameworks and methods in any app simultaneously.
Super Apps Give Users (and Hackers) More to Do
As with all consumer mobile apps, a super app maker has no control over the security posture of the user’s device, and no guarantee that the app will be run by a real user or on a real device. Makers of super apps design their apps for real users, and often don’t account for the bad or malicious user, hacker or even friendly security researcher. In our line of work, we’ve seen code scanning vendors have a field day with Super Apps, running the super apps on jailbroken or rooted devices, devices infected with mobile malware, or older operating systems that lack the latest OS security updates. Code scanning vendors often point out that components of the super app may not be sufficiently obfuscated, leaving the entire super app exposed. Or the apps may not be tamper-resistant or might be suspectable to jailbreak bypass, root hiding, dynamic binary instrumentation (DBI), session hijacking using tools like Charles Proxy or BurpSuite, or abuse of Frida and other common pen-testing tools. This is important because Super Apps have to pass code scans or other DevSecOps processes to meet release timelines or satisfy regulatory compliance objectives. Failing these tests, of course, can stall releases – something no one wants, ever.
IVT and ATOs Target Super Apps
Once bad actors learn how the mobile app or code functions, they can craft downstream attacks (such as credential stuffing, fakes, clones, or trojans) to do just about anything, including Invalid Traffic (IVT) from malicious bots and account take-overs (ATOs). What’s more important, and unique to Super Apps, is that the number of high-value points of attack in a Super App is so much higher than a stand-alone app. In other words, Super Apps are “multi-apps”, and as such they represent the ultimate target for IVT and ATO attacks out there. To weaponize a Super App, for example, the attacker need only attach itself to a single part of the app, say its BNPL functionality, or its Driver functionality and leave the rest of the application intact. Because all the components operate independently, hackers need only look for the weakest link and use that to interfere, harvest or attack that part of the app process. This makes executing or even hiding the attack inside the app much easier. To prevent this class of attack, developers and security teams should consider preventing overlays attacks, as well as misuse of ADB or Frida, dynamic binary instrumentation, shellcode injection, memory injection and other similar attacks.
Protect Critical Service Domains in Super Apps
Everyone knows I love to talk about MiTM defense and no place is this more important than in the connections between the Super App and its backend. But, as I have said, super apps are also a composition of multiple, critical, interdependent, service endpoints, each of which should be protected with secure certificate pinning. Protecting the critical login endpoint, main mobile service endpoint and other critical connections to ensure that all connection attempts originate from legitimate hosts or servers are so vital to the proper functioning of a super app. For super apps, I typically recommend adding yet one more network-based protection to the mix for security purposes. Network security solutions impact the performance of the app and typically can only handle 1 endpoint at a time. More simply, I recommend combining minimum TLS enforcement with mobile client certificates or secure certificate pinning as the perfect combination to ensure that only valid and authentic users and servers can establish secure connections with each other – keeping all relevant parties (and their data) safe.
Want to Protect Your Super App?
Because of the enormous value, user counts, and traffic volume associated with super apps, developers and security professionals should assume that pen testers and hackers know how to (and will) break into super apps.
Super apps offer cohesion and seamlessness via an incredibly personalized and fruitful experience for customers and brands alike, and in doing so, they build engagement, which allows them to grow their share of wallet. However, the makers of super apps must protect their apps, users and business with agile security, anti-fraud and mobile malware prevention protections inside super apps.
If you’re a developer of a super app, or if you’re responsible for ensuring a secure experience for your super app users, feel free to drop me a line to learn how you can deliver comprehensive security protections to any super app without compromising release schedules, functionality or the user experience.
If you would like to see Appdome in action and you’ve got 15 minutes to spare, use the button below to request a live Appdome demo. I’d be happy to demonstrate how you can use Appdome to instantly build security and anti-fraud features into any mobile app in minutes.Request a Demo