nach oben

Erschienen in:

2021 | OriginalPaper | Buchkapitel

Breaking and Fixing Third-Party Payment Service for Mobile Apps

verfasst von : Shangcheng Shi, Xianbo Wang, Wing Cheong Lau

Erschienen in: Applied Cryptography and Network Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Riding on the widespread user adoption of mobile payment, a growing number of mobile apps have integrated the service from third-party payment service providers or so-called Cashiers. Despite its prevalence and critical nature, no existing standard can guide the secure deployment of mobile payment. Thus, the protocol designs and implementations from different Cashiers are diverse. Given the complicated multi-party interactions in mobile payment, either the Cashiers or the apps may not fully consider various threat models, which enlarges the attack surface and causes the exploits with severe consequences, ranging from financial loss to privacy violations. In this paper, we perform an in-depth security analysis of real-world third-party payment services for mobile apps. Specifically, we examine the mobile payment systems from five top-tier Cashiers that serve over one billion users globally. Leveraging insecure protocol designs and practical implementation flaws, e.g., vulnerable backend SDKs for mobile apps, we have discovered six types of exploits. These exploits enable the attacker to violate user privacy and shop for free in the victim apps, affecting millions of users. Finally, we propose the fixings to defend against these exploits. We have shared our findings with the affected Cashiers and got their positive responses.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel DSS: Discrepancy-Aware Seed Selection Method for ICS Protocol Fuzzing

Nur mit Berechtigung zugänglich

For the rest of the paper, we use mobile payment to denote the third-party payment services for mobile apps, if not specified otherwise.

Apkpure: Apkpure (2019). https://apkpure.com/

Chen, S., et al.: An empirical assessment of security risks of global android banking apps. In: ICSE 2020 (2020)

Chen, Y., et al.: Devils in the guidance: predicting logic vulnerabilities in payment syndication services through automated documentation analysis. In: USENIX 2019 (2019)

Fortune Business Insights: Mobile payment market size, share & industry analysis (2020). https://www.fortunebusinessinsights.com/industry-reports/mobile-payment-market-100336

Hardt, D.: The OAuth 2.0 authorization framework (2012)

Haupert, V., Maier, D., Müller, T.: Paying the price for disruption: how a fintech allowed account takeover. In: ROOTS 2017 (2017)

Jones, M., et al.: JSON web token (JWT) (2012)

Kadhiwal, S., Zulfiquar, A.U.S.: Analysis of mobile payment security measures and different standards. Comput. Fraud Secur. 2007(6), 12–16 (2007)CrossRef

Kaur, R., Li, Y., Iqbal, J., Gonzalez, H., Stakhanova, N.: A security assessment of HCE-NFC enabled e-wallet banking android apps. In: COMPSAC 2018, vol. 02 (2018)

10.

Kumar, R., Kishore, S., Lu, H., Prakash, A.: Security analysis of unified payments interface and payment apps in India. In: USENIX Security 2020 (2020)

11.

Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 1–29 (2014)CrossRef

12.

Liu, W., Wang, X., Peng, W.: State of the art: secure mobile payment. IEEE Access 8, 13898–13914 (2020)CrossRef

13.

Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)

14.

MITRE: CVE-2018-13439 (2018). https://www.cvedetails.com/cve/CVE-2018-13439/

15.

Mulliner, C., Robertson, W., Kirda, E.: VirtualSwindle: an automated attack against in-app billing on android. In: ASIA CCS 2014 (2014)

16.

PHP: API document of hash function in PHP (2020). https://www.php.net/manual/en/function.hash.php

17.

Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.: Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security 2015 (2015)

18.

Reynaud, D., Song, D., Magrino, T.R., Wu, E., Shin, E.C.: FreeMarket: shopping for free in android applications. In: NDSS 2012 (2012)

19.

Sun, F., Xu, L., Su, Z.: Detecting logic vulnerabilities in e-commerce applications. In: NDSS 2014 (2014)

20.

Tumbleson, C.: Apktool (2020). https://ibotpeaches.github.io/Apktool/

21.

Wang, R., Chen, S., Wang, X.F., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: S&P 2011 (2011)

22.

Wang, Y., Hahn, C., Sutrave, K.: Mobile payment security, threats, and challenges. In: MobiSecServ 2016 (2016)

23.

Wikipedia: Client Certificate (2020). https://en.wikipedia.org/wiki/Client_certificate

24.

Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: toward automatic protection of third-party web service integrations. In: NDSS 2013 (2013)

25.

Yang, W., et al.: Show me the money! finding flawed implementations of third-party in-app payment in android apps. In: NDSS 2017 (2017)

26.

Ye, Q., Bai, G., Dong, N., Dong, J.S.: Inferring implicit assumptions and correct usage of mobile payment protocols. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds.) SecureComm 2017. LNICST, vol. 238, pp. 469–488. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78813-5_24CrossRef

Titel: Breaking and Fixing Third-Party Payment Service for Mobile Apps
verfasst von: Shangcheng Shi
Xianbo Wang
Wing Cheong Lau
Verlag: Springer International Publishing
Buch: Applied Cryptography and Network Security
Print ISBN: 978-3-030-78374-7

Electronic ISBN: 978-3-030-78375-4

Copyright-Jahr: 2021
DOI: https://doi.org/10.1007/978-3-030-78375-4_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"