The recent security flaw exposed in Apple’s mobile operating system hurts their plans for establishing the platform as the mobile payment system of the future. Apple has reacted quickly, releasing a patch on the same day, but was it quick enough to protect their strategy for mobile retail?
On Friday, reports of a bug in secure sessions, which allows attackers to grab data from mobile users by hijacking the SSL connection, were circulating the internet. Users were at risk of a “man-in-the-middle attack capturing personally sensitive information they entered while connected to websites and other services thinking they were safe. One security expert at Johns Hopkins University said, “It’s as bad as you could imagine.”
Especially since SSL technology is nothing new or fancy. The protocol has been around essentially since the beginnings of the internet and is widely accepted as being secure – if implemented correctly by software vendors. This would come as quite a blow to the perception of Apple as a sophisticated and security minded company under any circumstances, but it is especially troubling for them now, as they seek to use their position of dominance in mobile devices to extend their control of a much larger part of the mobile purchasing process.
Apple plans to stake out a position in the mobile retail sector using a combination of technologies they have integrated into their flagship iPhone and iOS software. The fingerprint sensor, available on the iPhone 5, was marketed as an access feature rather than a payment authorization feature, but coupled with a users iTunes account, it is easier and faster than paying with a credit card. The iBeacon technology, basically a GPS for individual shoppers while inside retail establishments, was almost a side note during the iPhone 5 announcement last year, but it, too, would enhance Apple’s profile if it catches on, becoming a seamless conduit for targeted marketing messages and in-store guidance for shoppers.
Apple is seeking to “close the loop”, a marketing term which means that a purchase made can be attached to a particular person’s in-store and pre-store experience, via their mobile device. Check-ins via social media sites never fully addressed this problem as the recorded physical presence of a consumer in the store wasn’t reliably linked to a purchase decision.
Apple recognized that this flaw hurt vendors chances of transforming the mobile payment and marketing process, and they planned to secure a leading position by fixing the problem. Now they may have lost that opportunity.
Mobile payments is a very big market for Apple to lose. Research firm Gartner estimates that by 2017 mobile payments will exceed $720 billion a year, up from the $235 billion recorded in 2013. Retail transactions totaled $15 trillion that same year, so there is clearly room for vendors to win a larger share for mobile. Apple has a built-in advantage here already because of their user demographics. Consider that although there are significantly more Android phones than iPhone in use, estimates go as high as 80 percent more, iPhones account for nearly double the dollar value of purchases. iPhone owners simply buy more.
All this is in serious danger of being wasted effort if Apple is perceived incapable of properly implementing and managing the most fundamental security concerns. Customers are unlikely to trust the company with even more data about their shopping habits, their movement inside of establishments, what they look at and what they actually purchase, when Apple cannot implement a simple secure connection.
This recent security misstep hurt Apple’s reputation, but it doesn’t necessarily mean their development fundamentals are flawed, only that establishing themselves as a leader in mobile payments may not come as easily as they had planned.
By Brian Ryer