These apps are becoming more popular and encompassing more and more sensitive data—which is exactly why they’re attracting cyberthieves.
In today’s highly competitive market, brands are tasked with providing a seamless, integrated, and convenient user-app experience to attract users. With the limited space on smart phone home screens, companies have started consolidating apps under one corporate umbrella to create a one-stop-shop for users, giving rise to super apps.
Instead of one application with a single or very few capabilities, super apps provide multiple services in one place. They even play host to numerous mini-apps, creating a platform that lets consumers carry out a suite of activities in one place.
Super apps aren’t new to the digital age. The first company to successfully implement the concept was WeChat, a Chinese instant-messaging, social-media, and mobile-payment app developed by Tencent. Initially designed for messaging, WeChat expanded into a massive e-commerce platform boasting 1.3 billion active monthly users.
The demand for an all-encompassing platform has grown in regions where smart phones lack the capability to host multiple separate apps. Despite the demand for super apps, their adoption has been slow in the United States and Europe due to strict regulations surrounding data privacy and security.
As smart-phone penetration moves toward saturation, many American tech companies have attempted to increase the stickiness of their offerings by adding features. Now, it’s more competitive than ever to develop a successful super app as U.S. tech giants engage in a game of survival of the fittest to gain dominance.
Consumer Protection
Regulators are concerned that super app companies will be able to gather an extensive amount of personal and sensitive user information, data that could potentially be abused for commercial and advertising purposes, or worse. For these very reasons, consumer-protection laws remain at the forefront in places like the European Union to restrict sharing, selling, and leveraging user data for corporate gain.
Officials in the U.S. have taken similar steps in recent years. For instance, the Federal Trade Commission (FTC) has put companies developing health apps “on notice” out of concern that consumers’ sensitive information could be used or shared with advertisers or other third parties.
Failure to obtain consumers’ express affirmative consent to use sensitive data for marketing purposes violates U.S. law. In March, the FTC ordered telehealth app BetterHelp Inc to pay $7.8 million to consumers because it revealed sensitive data to third parties, like Facebook and Snapchat, after ensuring user privacy.
Of course, concerns over user data and privacy with super apps extend beyond advertising. Expanded access for app developers to user data, especially if they span across industries, can also present national-security risks.
Payments Fraud
As an application expands across industries, including new application programming interface endpoints, pages, and users, it creates a larger attack surface for cybercriminals to infiltrate. The sheer complexity of super apps makes it easier for bad actors to locate security oversights and harder for administrators to monitor potential attacks. This becomes especially risky as super apps are expected to disrupt the banking sector over the coming years.
Super apps already capitalize on open-banking capabilities to offer a range of payments and financial services. The increased integration of banking presents fraudsters with even more opportunities to access the financial system. Developers are now rushing to make new offerings and mobile features available on the market, often at the expense of comprehensive security protocols, as they grapple with the challenge of reducing time to market while trying to balance speed and security. The lack of consistent compliance standards for developers raises questions about where the liability rests, particularly when it comes to security, putting the burden on banks to ensure their customers’ data and transactions remain protected.
As users and merchants partner with super-app platforms, they are subject to an increased level of risk. For example, if there is a data breach and consumers are using several different apps, they only need to worry about a criminal accessing their information from one or two places. Should a breach take place on a super app, criminals would gain access to a wide range of consumer data stored across the platform’s ecosystem.
Furthermore, vulnerabilities in identity-verification procedures could become a substantial risk, as cybercriminals frequently use credential stuffing or account takeovers (especially from bots)
to abuse user data. Criminals also target super apps by setting up fake accounts with stolen or falsified information, often creating multiple accounts at once.
Payment fraud also occurs on super apps. Cybercriminals will use stolen card details, likely obtained through data breaches or phishing scams, to make a purchase. The real card owner will file a chargeback, and the merchant foots the bill (on top of losing inventory).
Given the risks associated with super apps and the frequency with which they handle financial
data, payment providers must continuously review standard underwriting protocols to prevent fraudulent actors from abusing the technology. This is in addition to current security measures typically implemented by developers, including code obfuscation, advanced encryption, and runtime application self-protection (RASP).
The Future
Creating a digital fingerprint for each device in a super app’s ecosystem would allow for the effective detection of risky activity and confirmation of user identity. However, this becomes complex when credentials are shared across multiple services. This creates serious implications for user data privacy and can be potentially exploited by bad actors.
Looking to the future, major players across verticals will partner with super-app tech companies seeking to consolidate their services to a single access point. This will include participants in the payments ecosystem because financial services are a major component of most app offerings, especially since they drive app revenues.
Awareness of these risks must play a crucial role in considering partnerships with super-app developers. Particular focus should be given to maintaining tight customer-verification protocols and continuous monitoring for malicious activity.
It is the responsibility of every partner involved to ensure that they are armed with the proper detection and protection mechanisms to prevent insidious actors from exploiting users, merchants, financial institutions, and the global financial network.
—Maya Shabi is payments and risk specialist at EverC.