This study addresses the lack of systematic, cross-regional assessment of security and privacy practices in Android e-commerce applications. Method: We conduct the first comprehensive comparative analysis of 92 mainstream Android e-commerce apps from the U.S. and international markets, evaluating SSL/TLS configuration, network communication security, and permission management. Static analysis is performed using MobSF, AndroBugs, and RiskInDroid; dynamic checks include certificate validation, plaintext traffic detection, and privilege misuse identification. Contribution/Results: 92% of apps employ insecure HTTP connections; the mean security score is 40.92/100. Seventy-seven apps exhibit excessive permission requests. While U.S.-based apps achieve marginally higher scores, regional disparities are statistically limited; instead, pervasive cross-regional vulnerabilities—such as weak cryptographic configurations and unencrypted data transmission—dominate the threat landscape. The findings expose widespread deficiencies in foundational secure engineering practices across global e-commerce apps, providing empirical evidence and prioritized remediation guidance for platform regulators and developer security governance frameworks.

E-commerce mobile applications are central to global financial transactions, making their security and privacy crucial. In this study, we analyze 92 top-grossing Android e-commerce apps (58 U.S.-based and 34 international) using MobSF, AndroBugs, and RiskInDroid. Our analysis shows widespread SSL and certificate weaknesses, with approximately 92% using unsecured HTTP connections and an average MobSF security score of 40.92/100. Over-privileged permissions were identified in 77 apps. While U.S. apps exhibited fewer manifest, code, and certificate vulnerabilities, both groups showed similar network-related issues. We advocate for the adoption of stronger, standardized, and user-focused security practices across regions.