Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer
Noname Security Logo

Rise of the “Super App”

Filip Verloy
Share this article

Uber just announced it will add the ability to book long-distance travel on planes, trains, and buses, reflecting the company’s ambitions to become a travel “super app.” A pilot project is being launched in the U.K. that will integrate offers from travel partners into the Uber app.

Super Apps have been called “The Business Model to Watch This Year” by Prof. Scott Galloway and Kara Swisher on their Pivot show (available here).

These so-called “super apps” have been on the rise for some time now and in certain regions of the world have become a default way of consuming a wide variety of experiences and services. The most obvious example is WeChat, China’s leading social app has become a successful super-app, offering messaging, social networking, shopping, payments, and a range of other services. In 2017, WeChat even launched a feature called “Mini Programs”, allowing business owners to create mini-apps in the WeChat system, implemented using JavaScript plus a proprietary API.

Apps like WeChat and Alipay in China show us what’s possible when an entire country leapfrogs over the PC era directly to mobile. And while the contexts and nuances differ significantly, companies are now following the trend started by the East and dipping their toes into super apps.

Creating a platform instead of a single-use app has become the goal as it allows providers to leverage customer loyalty and data to greatly expand services and reach.

From a technical point of view this presents some interesting challenges, the “super app” now has more and more connectivity to external services and becomes harder to understand from a threat perspective. How are these connections implemented, and which APIs can communicate using what kinds of privileges? 

Open-Banking goes hand in hand with the concept of “Super Apps”

Because of the Open Banking policy directive, most banking institutions are now enabling super-apps to correlate financial data from multiple sources to better understand and serve their target customers. Banks are seeing that customers are willing to trade in their loyalty to established incumbent banks for the convenience that fintech startups can provide. All this inter-financial connectivity is API-led and needs to be done securely to maintain customer trust.

Super-apps can also use open banking data coupled with technologies such as artificial intelligence (AI) and machine learning (ML) to make data-driven decisions and develop customer-focused products across the ecosystem. As consumers are rightfully more and more sensitive to privacy issues, being able to do so securely and safely is key.

How to Secure a Super App

Another example of a super-app is Gojek based out of Indonesia. They provide an excellent account of their journey to maintain a world-class security program for a Super App.

They describe how they spend most of their time testing the existing app to find technical and logical security bugs, and get them patched.

Some major bug classes they encountered were:

  • Authentication Issues — Ex: APIs can be accessed without login. Such APIs were targets for scripted attacks.
  • Authorization issues — Ex: One customer can view other customers’ order history (which includes sensitive details like address, phone number, etc.).
  • Race Conditions — Ex: While transferring money via GoPay, if multiple requests get sent to the server at the same time, the sender will be debited a lower amount and the receiver gains extra credit.

Today there are multiple options in securing the many tentacles of a super app, from inline security devices to API gateways, to dedicated API security platforms, and bringing security earlier into the development lifecycle by “shifting-left”. Nothing will drive users away from your platform quicker than the loss of trust, so maintaining a good security posture whilst delivering these new and exciting services to the market will be key.

Filip Verloy

Filip Verloy serves as the Field CTO for the EMEA region at Noname Security. In his role, Filip engages and advises customers, partners and the security industry at large, sharing his experience, insights, and strategies on API security. Prior to joining Noname Security, Verloy was the Field CTO for EMEA at Rubrik, a data security start-up. He has also previously served at various IT vendors including Citrix, Dell, Riverbed, and VMware

All Filip Verloy posts