Super Apps are here to stay. How secure are they? And who's responsible?
By
super apps and security
The New York Times described Super Apps as the “Swiss Army knife of apps.” Super Apps are multifunctional applications that unify numerous mobile app services into a common interface - sometimes through an ecosystem of different providers whose components are integrated into a seamless mobile experience.
Super Apps are especially popular with Gen-Z and Millennial consumers, and as ASEAN is home to one of the youngest populations in the world, it is tipped to become a Super App supermarket. According to the Singapore Economic Development Board, the ASEAN Super App market will be worth US$23 billion in revenue by 2025 (up from US$4 billion in 2020) on the back of five main revenue drivers - ride sharing, food delivery, fintech, digital banking, and e-commerce.
All that glitters…
ASEAN’s demographics, emerging Super App ecosystem, and strong players like Grab, Gojek, Sea, Wechat and AliPay point to a mobile-first future. However, there are no guarantees when it comes to app security and bolstering it is necessary if developers want to unearth their Super App “pot of gold.”
Security matters, because protecting Super Apps and users from cybersecurity threats is not only critical to securing users Personal Identifiable Information (PII) and ensuring the integrity of their financial transactions, but also an imperative to inspire confidence, downloads and utilisation. After all, a Super App’s value is in its usage and convenience, which is only possible if it balances security with user experience. And a recent Appdome mobile consumer survey found that consumers in Southeast Asia favoured transactional apps because of the freedom they offer but expect those apps to have the highest levels of security.
Naturally, app developers believe the key to driving up engagement, customer loyalty and average revenue per user (ARPU) comes from presenting all services in a single app experience. Achieving this, however, requires careful integration and allowing an unprecedented level of third-party components like Buy Now Pay Later deals, loyalty, or P2P market buying functions within the app platform.
A single-purpose app developer, for example, can control workflows, Application Programming Interfaces (APIs), network calls, read/write functions etc. In a Super App framework, however, these functions are sometimes provided by third parties, and can include components that were not originally designed to work together. This can lead to data theft and leakage threats at the interface points.
An ounce of prevention is better than a pound of cure
With Super Apps here to stay, the following are some of the most common security threats faced by users that must be proactively countered by developers and security teams.
- Insecure data storage, APIs, & interfaces
As the functionality of a Super App extends beyond a stand-alone app, developers often lack full security oversight, control and visibility over “other” APIs and partner applications within their app's ecosystem. In integrating functional elements into the Super App, developers risk compromising app security and thereby making sharing, protecting or transmitting personally identifiable information, transaction or payment data, user behaviours and preferences, more vulnerable to data theft.
Data theft or leakage can occur at the intersection of these services, and the connection between these services and their cloud servers. Data protected by one element could be undone by another in the same app. Plugging these gaps requires a security model that includes data-at-rest protection, data-in-transit protection, anti-debugging, anti-hooking, anti-instrumentation and other security protections.
2. Using one consistent security model inside a heterogeneous Super App
Super Apps need more than one protection model because developers and security teams must manage a complex compatibility matrix, matching protections with source code and third-party components. Security will be compromised if developers do not adopt an agile security product capable of protecting all frameworks and methods in any app simultaneously.
3. Insufficient obfuscation, RASP and weak jailbreak/root detection
Super App designers often prioritise user needs and UX before addressing challenges posed by hackers and bad actors. Every week, however, we (Appdome) see code scanning vendors having a field day with Super Apps - running them on jailbroken or rooted devices, devices infected with mobile malware, or older operating systems without the latest OS security updates. This is important because Super Apps must pass code scans, or DevSecOps processes to meet release timelines or regulatory compliance objectives.
4. Dynamic attacks, credential stuffing, and IVT against Super Apps
Because they are essentially “multi-apps”, Super Apps are a prized target and vulnerable to multiple threats. To “weaponize” a Super App, for example, the attacker only needs to attack one part of the app like its Buy Now Pay Later (BNPL) or driver functionality. This is enough because as components operate independently, hackers only need one weak link to interfere, harvest, or attack that part of the app process. This makes executing or hiding the attack inside the app much easier.
5. Weak data-in-transit protection, lack of certificate validation and certificate pinning
Super Apps comprise multiple, critical, interdependent service endpoints, each of which should be protected with secure certificate pinning. Protecting the critical login and main mobile service endpoints, and other vital connections (to ensure all connection attempts originate from legitimate hosts or servers) is essential for the functioning of an app. For Super Apps, I typically recommend adding one more network-based protection to the security mix. Network security solutions impact the performance of the app and typically can only handle one endpoint at a time.
Offensive defence
Built for engagement, Super Apps are expected to be a dominant digital platform in the years ahead, especially in Asia which was one of the first regions to adopt Super Apps.
However, aspiring Super App development teams must develop a strong, agile defensive foundation first combined with real-time intelligence on the threats and attacks against the apps in production. An offensive-defensive game plan is needed to stay ahead of hackers and other cyber criminals to protect apps and users from fraud, malware, and other risks that could derail Super Apps before they have the chance to engage, personalise, and grow their share of wallet.
This article was contributed by Tom Tovar, CEO of Appdome, a cybersecurity company that focuses on mobile app defence.
