You’re no doubt already aware of the need to protect your mobile application to secure your IP and your end user’s sensitive data (banking information, identification, health data, and login credentials).
But did you know that mobile app security can act as a unique selling point?
Equip your app with robust protection mechanisms and you gain trust and credibility. You also meet compliance and regulatory requirements, and you reduce risk (and costs) in the long term.
Above all, mobile app security can set you apart from the competition. You see, not all of your competitors see it as a USP. But those that continue to be blind to its benefits will almost certainly be left behind in the coming years.
Asian super apps and QR code payments
Our focus in this article is on the Asian market because something very interesting is happening there. Asian super apps that offer a range of services, from banking to food delivery, are booming.
People are so reliant on these super apps that when a fire at a data center of the Korean version, Kakao, caused an outage, everyday life for millions stuttered. That’s because Kakao is used for pretty much everything.
It’s just one of a growing list of super apps that includes Naver in Korea, WeChat and Alipay in China, LINE in Japan, GoJek in Indonesia, GCash in the Philippines, and Grab and Careem across South East Asia.
You can pay (typically by scanning QR codes) with these apps, you can chat with friends, book trips overseas, and even manage your healthcare services.
A big reason for the popularity of Asian super apps can be explained in one word: convenience. End users of these apps often have very little need for others.
And for the companies behind them, it’s all about the opportunity to build more loyalty among customers. Some analysts already fear for the future of banks in Asia that only offer banking services given that users of super apps can do that and much more besides. That’s why a lot of banks are partnering with super apps - they want to be a part of this flourishing ecosystem.
A big aspect of this super app ecosystem is instant QR code payments. And much like the attraction to super apps in general, the rapid spread and normalization of QR code payments in Asia speaks to a desire for convenience. And of course we’re talking here about societies where there’s a large user base of smartphone users who are open to new ways of paying.
There’s been a lot of government support for QR code payments in China and Southeast Asia in particular. There’s a realization in the region that this is a payment method with barely any barriers to entry. Users don’t need NFC-enabled devices - they just need a camera. And it doesn’t need to be a top quality smartphone, so pretty much anybody on the planet with a smartphone can pay via QR codes. There’s also no need for expensive payment terminals (which also makes it a greener option) or processing fees, so QR code payments are much cheaper than alternative methods.
But it’s worth reminding ourselves that the phone wasn’t designed to be a payment terminal. As with SoftPOS apps that allow you to accept payments on your mobile device, QR code applications - or super apps of which QR code payments are just one of its functionalities - need to be equipped with robust protection mechanisms.
After all, while QR code scanning and payments have become commonplace in Asia, that isn’t to say that the practice is always safe, as we’ve written before on this website.
Malicious QR codes can be used to spread malware. Bogus QR codes can direct people to a fake site where attackers can carry out phishing attacks. And bad actors can even intercept them, stealing sensitive credentials and payment information.
What’s at stake?
In recent years, Asia has been targeted with a glut of attacks aimed at mobile applications (and mobile devices in general). Malware and phishing have been the most common methods.
Hackers clearly see an opportunity in a market where adoption and usage of mobile apps is some way ahead of the general understanding of the risks.
And super apps in particular are an attractive target given the diverse range of riches available to the attacker, from banking details and credentials through to health records and IDs. The modern super app is the equivalent of a Spanish galleon in the early seventeenth century, returning from the Americas overloaded with gold and with insufficient means of protecting itself from pirates.
It’s worth keeping in mind, too, that the nature of Asian super apps - utilizing functionalities, integrations, and components from third parties - is such that there are inherent vulnerabilities.
It’s the perfect storm. And the bigger the waves get, the better it is for the hacker.
This current reality is exacerbated by the fact that regulations enforcing mobile application protection can be slow to arrive around the world. But really an app developer shouldn’t have to be told about the need to protect their end users’ valuable data. Not when most app users download an application assuming that it’s already equipped with the means to defend itself against sophisticated attacks.
As we know, this isn’t always the case. And so successful attacks can have a devastating impact on individual lives. Savings that have taken years of hard work to amass can disappear overnight. In a moment of digital distraction, your end users can be tricked into downloading a fake version of your super app or payment application - where their credentials can be siphoned off to extract funds from the genuine app.
In this specific example, however, there are things you can do to stop the attack. Firstly, you can harden your application against both decompilation and modification and against dynamic analysis and tampering attempts. That will make the cloning process much more difficult for an attacker. You can also educate your end users about the dangers of phishing attacks and what’s at stake for them. Preach suspicion as much as you can.
But your end users aren't the only ones who stand to suffer. Businesses like yours that develop applications would also take a huge hit if an attack found its target.
Seeing mobile app security as a unique selling point
Everything that you stand to gain from seeing mobile app security as a unique selling point is the reverse of what you stand to lose should you neglect security.
Take end user trust, for example. By demonstrating a commitment to doing all that you can to protect your end users’ sensitive data, you’ll gain their long-term trust and loyalty. It’s important to understand that consumers are changing, as is the business-customer relationship. Your end users put a lot of stock in feeling secure and protected in the digital world. Your efforts to make them feel this way will be rewarded in the long run. And competitors who don’t make this commitment will quickly disappear from view as successful attacks cause trust to disintegrate, destroying their business reputation.
It’s a similar story with long-term risks and costs. Security is often misunderstood by app developers as something that adds time and costs to the development plan. But the truth is that much more time and funds tend to be funnelled into firefighting after a successful attack than what is spent coding securely and then engaging and partnering with a reputable app protection company that can help you prevent such attacks from happening in the first place.
This picture is also true of regulations and compliance. In the coming months and years, more and more standards are set to arrive - particularly in the finance industry. Being able to demonstrate that your application complies with them will not only act as reassurance for your end users. It will also mean you don’t have to worry about potential penalties and the reputational hit that would come with a fine.
Finally, there’s the competitive advantage that app security provides you. Imagine that your company and a competitor are both launching super apps to the Singapore market at the same time. Your competitor sees security as a burden to its resources. It wants to deploy on time and sees equipping its app with protection mechanisms as something that would prevent this from happening.
Your company, on the other hand, operates a security by design approach, making sure the app is not only designed and coded securely but is also tested regularly against the most modern types of attacks. You engage and partner with an app security company early on in the process and add layers of security to safeguard your IP and end user data.
Which app do you think your prospective end users would choose to download?
We recently launched a guide to mobile application protection. It’s there to help developers, CISOs, CTOs and Product Managers to understand the threats facing their mobile app and what they can do to defend against attacks.