Just in time for Black Friday, Cyber Monday and the holiday shopping season, we investigated the most recent versions* of 30 of the leading, well-known mobile shopping applications to see how the application providers protect users from security and privacy risks.
The results based on our Advanced Application Analysis z3A technology are alarming:
- 100% of iOS-based apps and 90% of Android-based apps failed to receive a passing privacy grade. This means things like private user data, unique device identifiers, SMS, communications, and data storage are all at risk.
- 83% of iOS-based apps and 97% of Android-based apps failed to receive a passing security grade. These risks include application capabilities, and critical vulnerabilities.
In addition, we tested the 60 apps (30 iOS and 30 Android) against The Open Web Application Security Project’s (OWASP) Mobile Top 10.
For those who may not know, OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP publishes a top 10 list of app development best practices applying to mobile apps.
When the apps were evaluated against the OWASP top 10 list, the results were alarming:
- 100% (60 apps – 30 iOS; 30 Android) are vulnerable to reverse engineering, which attackers use to create imposter apps to steal from customers and/or defraud shoppers.
- 92% (55 apps – 30 iOS; 25 Android) do not properly secure the communications of sensitive data.
- 70% (42 apps – 30 iOS; 12 Android) do not properly secure the storage of sensitive data.
- 48% (29 apps – 29 iOS) are vulnerable to code tampering. An attacker could view data and possibly create manipulated outputs (e.g., fraudulent transactions).
The full Privacy and Security Issues Found in Popular Shopping Apps report provides a deep analysis of each of the 30 shopping apps – – this is the third app-focused report we’ve produced. The first report looked at the top banking apps and the second one reviewed the leading travel apps. For those wanting to hear insights from our researchers, webinars on all three reports are available.
While the results in the report are anonymous, we are reaching out to each company to review the detailed report for its own app.
*We scanned and scored the most recent versions of 60 (30 iOS and 30 Android) mobile shopping apps available in the Apple App Store and Google Play in October 2019.