4.2 Mobile, Social Network & Cloud Security Issues
E-commerce now runs primarily on mobile, generates traffic via social networks, and is hosted in the cloud — each platform has its own security challenges.
1. Mobile Platform Security Issues
Why mobile is risky
- Personal device, sometimes shared — family use the same phone
- Multiple apps with overlapping permissions — game asks for SMS access
- Lost / stolen more often than laptops
- Sideloading (Android) — apps from outside Play Store
- Public WiFi usage — coffee shops, airports
- Always-on, always-connected — broader attack window
- Notifications expose data on lock screen
Common mobile threats
| Threat | Description |
|---|---|
| Malicious apps | Fake apps in app store; sideloaded malware |
| App permission abuse | App requests / receives more permissions than needed |
| Insecure data storage | App stores card / OTP unencrypted on device |
| Insecure communication | App uses HTTP instead of HTTPS |
| Reverse engineering | App reverse-engineered to find vulnerabilities |
| Rooting / Jailbreaking | Bypasses OS security; many apps refuse to run |
| SIM-swap fraud | Telecom employee tricked into porting victim's number → OTP intercepted |
| SMS interception | OTP read by malicious app with SMS permission |
| Phishing via SMS | Smishing — clicked link installs malware |
| Public WiFi MITM | Captive portal attacks |
Mobile security defences
For app developers:
- OWASP Mobile Top 10 — best-practice guide
- Certificate pinning — apps verify server cert manually
- Encrypted storage — Android Keystore, iOS Keychain
- Obfuscation — make reverse engineering harder
- Anti-tampering checks — detect rooted devices
- Biometric auth — fingerprint, face ID
- Force HTTPS — disable cleartext network
For users:
- Install apps only from official stores
- Review permissions before granting
- Update OS and apps regularly
- Don't root / jailbreak unless you know risks
- Lock screen with strong PIN / biometric
- Encrypt full device storage
- Use VPN on public WiFi
- Use Mobile Device Management (MDM) for company devices
Indian mobile-fraud trends
- Fake banking apps mimicking SBI, HDFC, ICICI
- OTP harvesting malware in WhatsApp APKs
- SIM swap to defeat 2FA
- UPI phishing via WhatsApp/Telegram
- Fake KYC apps stealing PAN/Aadhaar
---
2. Social Network Security Issues
Threats from / via social networks
| Threat | Description |
|---|---|
| Identity theft via profile data | Birthdate, school, pet name → security-question answers |
| Social engineering | Build trust via fake profiles, then attack |
| Account takeover | Compromised social → linked accounts |
| Phishing via DMs | "Hey check this out" with malicious link |
| Romance scams | Long-con relationships for financial fraud |
| Investment scams | Fake influencers promoting Ponzi schemes |
| Job scams | LinkedIn fake recruiters asking for fees |
| Catfishing | Fake identities for various scams |
| Doxxing | Publishing private info to harass |
| Malicious apps / extensions | Third-party apps with broad permissions |
E-commerce-specific social issues
| Issue | Description |
|---|---|
| Fake reviews | Paid 5-star or fake 1-star reviews |
| Counterfeit ads | Brand impersonation in ads |
| Influencer fraud | Bought followers / engagement |
| Brand impersonation | Fake company pages |
| Customer service impersonation | Replying to customers as fake brand |
| Coupon scams | "Free product" leading to data harvest |
| Live-stream scams | Fake products in live commerce |
Defences
- Verify brand handles (blue tick / verified badge)
- Privacy settings — limit profile visibility
- Strong, unique passwords + 2FA on social
- Beware too-good-to-be-true offers
- Report fake profiles to platforms
- For brands: social listening tools (Brand24, Talkwalker) to detect impersonation
---
3. Cloud Security Issues
The shift to cloud has changed the security model. Cloud is a shared responsibility:
| Responsibility | AWS / Azure / GCP | Customer |
|---|---|---|
| Physical security | ✓ | |
| Network infrastructure | ✓ | |
| Hypervisor / VM isolation | ✓ | |
| OS patches (PaaS / SaaS) | ✓ | |
| OS patches (IaaS VMs) | ✓ | |
| Applications | ✓ | |
| Data | ✓ | |
| Access control / IAM | ✓ | |
| Encryption keys | ✓ (customer-managed option) | |
| Compliance | partial | partial |
"Shared responsibility model" is a mandatory IPU concept for cloud security.
Cloud-specific threats
| Threat | Description |
|---|---|
| Misconfigured S3 buckets | Open to internet, expose data |
| Stolen / leaked API keys | GitHub-leaked AWS keys → mining bills |
| Insider threats | Cloud admin abuses access |
| Multi-tenant escape | (Rare) VM escape to other tenants |
| Account takeover | Compromised IAM credentials |
| DDoS | Easier to launch from cloud (cheap VMs) |
| Data residency | Compliance — where is data stored? |
| Vendor lock-in | Hard to migrate; supplier risk |
| API vulnerabilities | Cloud control-plane APIs |
| Insecure interfaces | Misconfigured Kubernetes, exposed databases |
Famous cloud breaches
| Year | Incident | Cause |
|---|---|---|
| 2017 | Equifax 147M records | Apache Struts vulnerability on AWS |
| 2018 | Capital One 100M records | Misconfigured AWS WAF |
| 2019 | Facebook 540M records | Misconfigured public S3 |
| 2020 | SolarWinds | Supply-chain attack |
| 2023 | T-Mobile 37M records | Cloud API exposure |
Cloud security defences
| Layer | Defence |
|---|---|
| Identity | IAM with least privilege; MFA for all human users; rotate service-account keys |
| Network | VPC isolation; security groups; private endpoints |
| Data | Encrypt at rest + in transit; customer-managed keys (KMS); data residency policies |
| Workload | OS patching; container scanning; runtime protection (Falco, Sysdig) |
| Monitoring | CloudWatch, CloudTrail, GuardDuty; alerts on unusual activity |
| Compliance | Audit configurations (AWS Config, Azure Policy); automated remediation |
| Backup | Cross-region, immutable backups |
Cloud Security Tools
| Tool | Type |
|---|---|
| AWS GuardDuty / Azure Defender / GCP Security Command Center | Threat detection |
| AWS WAF / Cloudflare / Azure Front Door | Web application firewall |
| AWS Shield / Cloudflare DDoS | DDoS protection |
| AWS KMS / Azure Key Vault / GCP KMS | Key management |
| AWS Config / Azure Policy | Configuration compliance |
| AWS IAM Access Analyzer | Identify over-permissioned roles |
| Wiz, Lacework, Orca, Prisma Cloud | Third-party CSPM (Cloud Security Posture Management) |
---
Cloud Service Models — security responsibilities
The customer's security burden shrinks as you move up the cloud stack — but it never hits zero. With IaaS (EC2, Azure VMs, Google Compute Engine), the cloud provider handles the physical datacentre, networking, and hypervisor, but the customer is still responsible for OS patching, application security, data, IAM, and network rules — essentially everything from the operating system upward. With PaaS (Heroku, AWS Elastic Beanstalk, Vercel), the OS and runtime are handled by the provider; the customer manages only application code, data, and IAM. With SaaS (Shopify, Salesforce, Google Workspace), the provider runs the entire application; the customer's remaining job is to manage their data inside the application, IAM, and user permissions — but a misconfigured admin role can still leak millions of records, so SaaS is not "no security work."
---
Compliance frameworks for cloud e-commerce
| Framework | Scope |
|---|---|
| PCI-DSS | If handling card data |
| GDPR | EU citizen data |
| CCPA / CPRA | California consumers |
| HIPAA | US health data |
| SOC 2 | Service organisations |
| ISO 27001 | Information security management |
| DPDP Act 2023 | India personal data |
| RBI Cybersecurity Guidelines | Indian banks / payment systems |
| IT Act 2000 | India |
A typical Indian e-commerce site needs PCI-DSS + DPDP Act compliance at minimum.
---
Key Terms — Lesson 4.2
The terms below cover the three platforms (mobile, social, cloud), the regulatory landscape, and the compliance vocabulary needed for any commerce-security PYQ.
OWASP Mobile Top 10 — The Open Web Application Security Project's catalogue of the ten most critical mobile-app security risks — improper credential use, insecure communication, inadequate input/output validation, security misconfiguration, insecure data storage, insufficient cryptography, insecure authentication, insufficient binary protections, and more. The standard checklist for any mobile-app security review.
Sideloading — Installing an Android app from outside the Play Store — by downloading the APK directly or using a third-party store. Sideloading bypasses Google's malware screening and is the most common route for fake banking apps and OTP-stealing malware in India. iOS does not permit sideloading without jailbreak; Apple is now adding limited sideloading in EU markets under the Digital Markets Act.
Certificate Pinning — A defence in mobile apps where the app bundles the expected server certificate (or its public-key hash) and refuses to talk to any server presenting a different certificate. Certificate pinning defeats most MITM attacks — even if an attacker has tricked the OS into trusting a malicious CA, the app refuses the connection.
Rooting (Android) / Jailbreaking (iOS) — Removing the operating-system restrictions to gain admin-level access on the device. A rooted/jailbroken device can run apps the OS would normally block, but loses many security guarantees. Most Indian banking apps refuse to run on rooted devices.
Mobile Device Management (MDM) — Enterprise software (Microsoft Intune, VMware Workspace ONE, MobileIron, Hexnode) that lets a company enforce security policies — encryption, screen lock, app whitelists, remote wipe — on employee devices. Mandatory for any organisation issuing devices to staff or running BYOD with access to sensitive data.
SIM-Swap Fraud — The attacker convinces (or bribes) a telecom employee to port the victim's mobile number to a SIM the attacker controls. Once they own the number, every SMS OTP — for banks, wallets, exchanges — lands on the attacker's device. SIM-swap fraud has been one of the fastest-growing fraud categories in India.
Phishing via Social (Spear Phishing on LinkedIn, Instagram DMs, WhatsApp) — Targeted social-engineering attacks that use information harvested from the victim's social profile to craft a believable lure. LinkedIn is a particular goldmine for whaling attempts on executives.
Catfishing — Creating a fake identity online — usually with stolen photos — to deceive a victim into a relationship (often romantic), then exploit them financially or emotionally. Romance scams are a billion-dollar global fraud category and are growing in India through dating apps and matrimonial sites.
Shared Responsibility Model — The cloud-security framework that defines what the cloud provider is responsible for (physical datacentre, network, hypervisor, managed services) vs what the customer is responsible for (data, IAM, configuration, application code, OS for IaaS). AWS, Azure, and GCP all publish their version of this matrix; every cloud-security PYQ expects you to invoke it.
IAM (Identity and Access Management) — The cloud subsystem that governs who can do what in the account — users, groups, service-accounts, roles, permission policies. Misconfigured IAM (overly broad permissions, long-lived access keys, no MFA on root) is the root cause of most cloud breaches. The guiding principle is least privilege — grant only the minimum needed.
Misconfigured S3 Bucket — The most common cloud-data-breach pattern: an Amazon S3 bucket holding sensitive data is accidentally set to public read, indexed by Shodan or other search tools, and anyone on the Internet can download the contents. Capital One, Facebook, US Department of Defense, Indian education company Vedantu, and many others have all suffered S3-misconfiguration breaches.
API Key / Service Account Credentials Leak — An access key or service-account JSON file accidentally committed to a public GitHub repository, then scraped by attackers within minutes. The classic next step: spinning up cryptocurrency-mining VMs that run up tens of thousands of dollars in bills before the owner notices. GitHub's secret-scanning and rotation automation can mitigate this.
CSPM (Cloud Security Posture Management) — A class of tools (Wiz, Lacework, Orca, Prisma Cloud, AWS Config) that continuously audit a cloud account for misconfigurations — public S3 buckets, IAM roles with excessive permissions, exposed databases, unpatched workloads — and flag them for remediation.
WAF (Web Application Firewall) — A filter that sits in front of a web application and blocks malicious requests — SQL injection patterns, XSS attempts, known bot signatures, abusive request rates. AWS WAF, Cloudflare, Azure Front Door, and Imperva are the dominant choices.
DDoS Protection / Mitigation Service — Specialised services (AWS Shield, Cloudflare Magic Transit, Akamai Prolexic) that absorb and scrub DDoS traffic at the network edge before it reaches the origin. Almost every high-traffic e-commerce site sits behind one.
MFA (Multi-Factor Authentication) — Authentication that requires two or more independent factors — something you know (password), something you have (OTP, hardware token, app push), something you are (biometric). MFA is the single most effective control against credential theft. Banks, payment gateways, and serious SaaS platforms all enforce MFA for admin users.
Encryption at Rest vs in Transit — Two complementary controls. At rest: data on disk (databases, S3, EBS volumes, backups) is encrypted so a stolen disk or compromised snapshot yields ciphertext. In transit: data moving between client and server, or between services inside the cloud, is encrypted via TLS so a sniffer captures only ciphertext. Modern cloud services encrypt at rest by default; in-transit encryption is enabled explicitly by the developer.
KMS (Key Management Service) — Cloud-managed key-management — AWS KMS, Azure Key Vault, GCP KMS. KMS holds encryption keys in hardware-security-module-backed storage and issues per-request decryption operations rather than letting the key leave the vault. Customer-managed keys (CMK) let the customer retain ultimate control over key lifecycle and revocation.
CERT-In (Indian Computer Emergency Response Team) — India's national agency for responding to cybersecurity incidents, under the Ministry of Electronics and IT. CERT-In issues advisories, coordinates incident response, and (since 2022) requires Indian companies to report material breaches within 6 hours of detection.
PCI-DSS (Payment Card Industry Data Security Standard) — Compliance standard mandatory for any merchant or service provider storing, processing, or transmitting card data. Twelve domains covering network security, encryption, access control, monitoring, vulnerability scans, and policy. Audit frequency depends on transaction volume tier (Level 1, 2, 3, 4).
GDPR (General Data Protection Regulation) — The European Union's 2018 data-protection law. GDPR applies to any company handling EU residents' personal data — even from outside the EU — and imposes fines up to 4% of global annual revenue or €20 million, whichever is higher. The template for most modern data-protection laws worldwide.
DPDP Act 2023 (Digital Personal Data Protection Act) — India's comprehensive data-protection law. DPDP defines Data Principals (the citizen whose data is being processed), Data Fiduciaries (companies that process data), the Data Protection Board (the enforcement body), and penalties of up to ₹250 crore for serious breaches. DPDP applies extraterritorially — to anyone processing personal data of Indians, even from outside India.
SOC 2 — A reporting framework (American Institute of CPAs) covering the Trust Services Criteria — security, availability, processing integrity, confidentiality, privacy — for service organisations. SaaS vendors selling to enterprise buyers almost universally complete an annual SOC 2 audit; many Indian e-commerce SaaS startups pursue SOC 2 as part of going upmarket.
ISO 27001 — The international standard for Information Security Management Systems (ISMS). ISO 27001 certification is widely recognised by enterprise buyers globally and is often required for B2B sales into regulated industries.
---
Indian Cybersecurity Regulators
The Indian cybersecurity regulatory landscape has several overlapping bodies. CERT-In (Computer Emergency Response Team — India, under MeitY) is the national incident-response body and the entity that issues binding security advisories to industry. RBI sets cybersecurity expectations for banks, NBFCs, and payment system operators — including the Cybersecurity Framework for Banks (2016) and the Master Direction on Digital Lending. TRAI regulates the telecom side (mobile network operators) and increasingly DLT-based commercial-SMS sender registries. SEBI sets the rules for stock exchanges, depositories, and brokers. MeitY (Ministry of Electronics & IT) owns the IT Act and the broader digital-policy framework. NCIIPC (National Critical Information Infrastructure Protection Centre) focuses on protecting designated "critical information infrastructure" — power grids, telecom backbones, banking core systems. DSCI (Data Security Council of India) is the industry body run by NASSCOM that aggregates best practices and serves as the data-privacy and cybersecurity self-regulator.
---
Study deep
- Mobile is now the dominant attack surface. 80%+ of e-commerce traffic is mobile. App security gets less attention than web security but the risk is comparable or higher.
- Social engineering scales via social networks. Pre-Facebook, social engineering required physical proximity or phone. Today, attackers can profile and target millions via LinkedIn / Twitter / Instagram.
- Cloud misconfiguration is the #1 cloud-security issue. Not technology failures — human configuration errors. AWS S3 public buckets, exposed Kubernetes APIs, IAM roles with admin-everywhere. CSPM tools help.
- The "human" is still the weakest link. No matter how good the technology, a phishing email to one employee can compromise the company. Security awareness training has measurable impact on incident rate.
- Indian context: Aadhaar adds attack surface. Aadhaar-linked KYC means a single identity compromise can affect bank account, SIM, e-commerce, government services. The DPDP Act 2023 tightens data protection but enforcement is nascent.
PYQ pattern: "Discuss mobile, social network and cloud security issues in e-commerce." — One paragraph per platform; list 3-4 threats per platform; mention 1-2 defences per area. Touch on shared-responsibility model for cloud.