The expert warned about the vulnerability of online stores

The majority of online stores (94%) are seriously vulnerable to intruders, Yuri Shabalin, an expert in mobile application protection and director of the Stingray product at AppSec Solutions, told Izvestia on May 22.

AppSec Solutions specialists tested the most downloaded mobile applications from Russian stores in the e-com and e-grocery categories. During the study, they found more than 3,200 vulnerabilities, of which almost half are in the "critical" and "high" categories, meaning they can be potentially dangerous for users and owner companies.

As noted by Shabalin, mobile applications can be considered one of the most vulnerable software that uses personal data. Unlike web applications, they operate in a dangerous environment on the user's device that cannot be controlled.

The expert clarified that when ordering the development of a mobile application, businesses rely on contractors, and contractors rely on the security mechanisms of the Android and iOS operating systems.

"Often, teams that do not have information security specialists act as developers, and serious vulnerabilities are already allowed at the development level. As a result, the company seems to be saving money, without thinking about the fact that after some time the retailer's IT infrastructure may be attacked through the mobile application, because when we talk about e-commerce, the application is connected to the payment and logistics system," Shabalin emphasized.

From a black approach: hackers have quadrupled their attacks on Russia

The public sector, postal services and cargo and passenger transportation were among the most affected industries.

According to him, the most acute problem in 2025 is the storage of sensitive data in an unprotected form. About 70% of online commerce applications store data from third-party services in the clear: passwords, PIN codes, personal information, and technical data that enable interaction with external Push notification services, geolocation tools, and other APIs.

As the expert explained, among the potential problems that this can cause to the owners of the online store is the interception of control over the application, and, as a result, draining budgets for third-party services, sending phishing links to users, stealing databases or confidential keys. One of the most dangerous vulnerabilities that experts discovered during the study of e—commerce applications is the transmission of sensitive information to BroadcastReceiver. This may lead to the interception of this information by third-party applications.

Earlier, on May 13, it was reported that more than a third (37%) of successful cyber attacks on Russian companies in 2024 began with compromising employee credentials. In 2023, such attacks accounted for 19% of incidents, according to experts from the Solar 4RAYS Cyber Threat Research Center of the Solar Group of companies.