Much of this data, though, can also be accessed wirelessly, particularly when the user is using a shared public Wi-Fi connection. Although it's true that all such public connections are security- and privacy-challenged, the way Wal-Mart crafted its mobile app makes it especially vulnerable to a wireless attack. First, all product images and scans are being transmitted in the clear, which means that anyone on that connection sniffing wirelessly will see everything. Even if it's a crowded Wi-Fi hotspot, tying that data back to a specific person isn't difficult. "Most smartphones broadcast the device name," said Wood, "so correlating the IP address that's looking at sensitive products and the device name — MAC address will be the same — is not hard to do. You just have to match and follow the TCP stream using a tool like Wireshark."
For more sensitive information — such as passwords - Wal-Mart did use HTTPS, but it didn't encrypt or otherwise protect it, as it did with other information. Wal-Mart "managed to hash a lot for different functions (in its mobile app) when transmitting, so I don't know why they chose to send account creation details unhashed and just rely on HTTPS," Wood said. "And if a malicious user strips the SSL off, then they will be able to recover the username and password as they are sending it unhashed/unencrypted within the request."
Is there a more secure route that Wal-Mart could have gone? Wood argues there is. "To combat this, apps need to utilize certificate pinning. As a developer, you can either pin the Web service's certificate within the app itself, which takes the Certificate Authority out of the picture, or 'pin' the CA's certificate that was used to sign the server's certificate on the back end, limiting trust to only certificates signed by that CA," he said. "This is important because it reduces the threat against a malicious user being able to introduce their rogue certificate into the mix and prevent an attacker from utilizing a proxy server to masquerade as the server. While not an end-all, it helps defend against intercepting on the server side."
The point of all of this is not that Wal-Mart and Walgreens were especially reckless when it came to security — although both could have certainly done more — but that many of the largest companies with the best IT talent are still not focusing sufficiently on mobile app security. And if they're not, what are the chances that small companies are? Mobile app security needs to get top-tier IT attention, and it needs to happen now. I assure you: Cyberthieves and corporate espionage agents are already on it.
Sign up for MIS Asia eNewsletters.