This blog covers the top security challenges in protecting super apps and how to address them.
“Super Apps” are all the rage in the world of mobile apps these days. Every major mobile brand seems to be building Super Apps – including Google, Amazon, Paypal, Spotify, Uber, Instagram, and even Walmart. These supersized aggregator apps all have one goal – to provide you with the mobile app equivalent of “one-stop-shopping” at the tip-tap of your finger.
What are the cybersecurity risks in building and using Super Apps? How can dev and security teams protect their super apps as well as the mobile users that use them?
I will try to answer all these exciting questions in this blog. Ok, let’s get going.
What are Super Apps?
Super apps are Android and iOS applications that unify multiple mobile app services into one common interface, sometimes through an ecosystem of different providers whose components are all integrated into one seamless mobile experience. The New York Times characterized super apps as the “Swiss Army knife of apps”. Super apps offer a range of services such as shopping, mobile payments and financial services, entertainment (streaming music or movies), rideshare, travel booking, and even healthcare, all from within the same app.
Makers of super apps are in an all-out arms race, attempting to combine as many related services into a single app as possible. For example, in the Fintech space, PayPal’s super app will include loyalty points management and redemption, mobile payments, Buy Now, Pay Later (BNPL), as well as in-app shopping and deals. Insurtech players like Alan (not me) are also getting into the Super App game as well, as Telcos and content providers who offer super apps for all kinds of media, streaming and communication services in one app.
Major brands consider super apps an extremely important piece of the puzzle to win over the hearts and minds (and wallets) of younger generations – like the digitally-native Gen-Z, who use super apps for most of their day-to-day needs. Super apps are already very common in Asia, led by Grab, Gojek, Paytm, Wechat and AliPay. In LATAM, there’s Rappi, Mercado Libre, Magalu, and Baz – just to name a few. In EMEA, there’s Yandex and Lydia. In the U.S. many gig economy apps have jumped on the super app bandwagon – including rideshare apps (Uber/Lyft), delivery apps (Instacart/Doordash), travel apps (Expedia/Airbnb), and entertainment apps (Spotify/Netflix). Every one of these powerhouse brands aspires to become a dominant super app by combining a mix of services into a single app. So yeah, super apps are a big deal. I mean, if Willy Wonka had a mobile app, he’d surely be a super app!
Top 5 Security Challenges Facing Super Apps
Super apps sound great for consumers, right? But, from a cybersecurity perspective, protecting Super Apps and the people that use super apps isn’t easy. On the one hand, the developers of super apps believe that the key to driving higher engagement, customer loyalty, and ARPU growth comes from presenting the user with related services inside a single app experience. Can’t argue with that. On the other hand, to achieve that, super apps have to integrate and allow an unprecedented level of third-party components – like BNPL, deals, loyalty, or P2P market-buying functions – inside the app to operate in whatever way that component is designed to operate. Uber says it all below with their recent announcement about relying on many other 3rd party providers for major parts of the super app.
As a cybersecurity professional, this makes you cringe. This means that the exploitable attack surface inside a super app is much larger than a single-purpose app. In a single-purpose app, the developer (and the security professional) has full control over the workflows, APIs, network calls, read/write functions, etc. In a super app, more of these basic functions are left to 3rd parties and components that weren’t necessarily designed to work together. And that usually translates to a greater risk at the interface points that all these components come together. One of the biggest risks is data leakage or theft, which can result from excessive exposure of data within APIs, security misconfigurations, or insecure storage of data inside the app, all of which can cause real headaches in protecting users and revenues.
Let’s explore some of the most common cybersecurity challenges in protecting super apps.
Insecure Data Storage, APIs, & Interfaces in Super Apps
Let’s assume you have an app that does it all. Awesome. But, for that app to work, the user must enter a lot of data and the app must connect a bunch of external 3rd party services (far more than a stand-alone app). The functionality of a super app can often extend way beyond a stand-alone app, and the developer of the super app may not have full control over how the “other” elements in the apps store, share, protect or transmit personally identifiable information (PII), transaction data, payment, and health-related information, user behaviors, preferences, brand and provider affiliations, and much more. Exploits can occur at the intersection of all of these services as well as in the connection between these services and their cloud servers. Data protected by one element could quickly be undone by another element in the same app. If you want to understand why traditional security solutions can’t address these problems, read this Hacker News article about how poorly implemented security SDKs from a leading mobile app security company were bypassed in 5 leading mobile banking apps (exposing mobile user fingerprint and biometric information….OUCH!). How did this happen? Easy, it’s because the security vendor’s SDK was implemented in an app in which the majority of the source code was not sufficiently obfuscated (among other missing protections). This leaky bucket needs to be addressed by building a comprehensive security model in the super app that includes (at least) data-at-rest protection, data-in-transit protection, anti-debugging, anti-hooking, and anti-instrumentation and other security protections.
Using One Consistent Security Model Inside a Heterogeneous Super App
Think of a super app like a big pot of seafood gumbo, in which each component launches, connects, writes, reads, initiates, originates or terminates using a heterogeneous “pot” of technologies, standards, protocols, methods, data formats and storage types delivered in a single app to the mobile end-user. In the arms race to get more new offerings and mobile services into the super app, developers and security professionals may not have the time, expertise, or controls to accept only those components that are compatible with their chosen security model. To put it simply, Super Apps are incredibly hard to protect using one protection model, because the developer and security team has to manage a complex compatibility matrix, trying to match protections with source code (programming languages) and 3rd party components in the app, all with limited control over the underlying technologies used by 3rd parties. Security usually suffers, unless the developer and security professional can adopt an agile security product capable of protecting all frameworks and methods in any app simultaneously.
Insufficient Obfuscation, RASP, Weak Jailbreak/Root Detection
As with all consumer mobile apps, a super app maker has no control over the security posture of the end user’s device, and no guarantee that the app will be run by a real user or on a real device. Makers of super apps design their apps for real users, and often don’t account for the bad or malicious user, hacker or even friendly security researcher. In our line of work, we’ve seen code scanning vendors have a field day with Super Apps, running the super apps on jailbroken or rooted devices, devices infected with mobile malware, or older operating systems that lack the latest OS security updates. Or the source code may not be sufficiently obfuscated or tamper-resistant or might be susceptible to jailbreak bypass, root hiding, dynamic binary instrumentation (DBI), session hijacking using tools like Charles Proxy or BurpSuite, or abuse of Frida and other common pen-testing tools. This is important because Super Apps have to pass code scans or other DevSecOps processes to meet release timelines or satisfy regulatory compliance objectives. Failing these tests, of course, can stall releases – something no one wants, ever.
Dynamic Attacks, Credential Stuffing, and IVT Against Super Apps
Once bad actors learn how the mobile app or code functions, they can craft downstream attacks (such as credential stuffing, fakes, clones, or trojans) to do just about anything, including Invalid Traffic (IVT) from malicious bots and account take-overs (ATOs). What’s more important, and unique to Super Apps, is that the number of high-value points of attack in a Super App is so much higher than a stand-alone app. In other words, Super Apps are “multi-apps”, and as such they represent the ultimate target for IVT and ATO attacks out there. To weaponize a Super App, for example, the attacker need only attach itself to a single part of the app, say its BNPL functionality, or its Driver functionality and leave the rest of the application intact. Because all the components operate independently, hackers need only look for the weakest link and use that to interfere, harvest or attack that part of the app process. This makes executing or even hiding the attack inside the app much easier. To prevent this class of attack, developers and security teams should consider preventing overlays attacks, as well as misuse of ADB or Frida, dynamic binary instrumentation, shellcode injection, memory injection and other similar attacks.
Weak Data-In-Transit Protection, Lack of Certificate Validation & Certificate Pinning
Everyone knows I love to talk about MiTM defense and no place is this more important than in the connections between the Super App and its backend. But, as I have said, super apps are also a composition of multiple, critical, interdependent, service endpoints, each of which should be protected with secure certificate pinning. Protecting the critical login endpoint, main mobile service endpoint and other critical connections to ensure that all connection attempts originate from legitimate hosts or servers are so vital to the proper functioning of a super app. For super apps, I typically recommend adding yet one more network-based protection to the mix for security purposes. Network security solutions impact the performance of the app and typically can only handle 1 endpoint at a time. More simply, I recommend combining minimum TLS enforcement with mobile client certificates or secure certificate pinning as the perfect combination to ensure that only valid and authentic users and servers can establish secure connections with each other – keeping all relevant parties (and their data) safe.
Want to Protect Your Super App from Cybersecurity Attacks?
Super apps offer cohesion and seamlessness via an incredibly personalized and fruitful experience for customers and brands alike, and in doing so, they build engagement, which allows them to grow their share of wallet.
Because of the enormous value, user counts, and traffic volume associated with super apps, developers and security teams should assume that hackers know how to (and will) break into super apps.
Developers of super apps must protect their apps, users and business with agile security, anti-fraud and mobile malware prevention protections.
If you’re a developer of a super app, or if you’re responsible for ensuring a secure experience for your super app users, feel free to drop me a line to learn how you can deliver comprehensive security protections to any super app without compromising release schedules, functionality or the user experience – from within the DevOps pipeline that you use to build apps today.
If you would like to see Appdome in action and you’ve got 15 minutes to spare, use the button below to request a live Appdome demo. I’d be happy to demonstrate how you can use Appdome to instantly build security and anti-fraud features into any mobile app in minutes.Request a Demo