Top

Published in:

2021 | OriginalPaper | Chapter

Breaking and Fixing Third-Party Payment Service for Mobile Apps

Authors : Shangcheng Shi, Xianbo Wang, Wing Cheong Lau

Published in: Applied Cryptography and Network Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Riding on the widespread user adoption of mobile payment, a growing number of mobile apps have integrated the service from third-party payment service providers or so-called Cashiers. Despite its prevalence and critical nature, no existing standard can guide the secure deployment of mobile payment. Thus, the protocol designs and implementations from different Cashiers are diverse. Given the complicated multi-party interactions in mobile payment, either the Cashiers or the apps may not fully consider various threat models, which enlarges the attack surface and causes the exploits with severe consequences, ranging from financial loss to privacy violations. In this paper, we perform an in-depth security analysis of real-world third-party payment services for mobile apps. Specifically, we examine the mobile payment systems from five top-tier Cashiers that serve over one billion users globally. Leveraging insecure protocol designs and practical implementation flaws, e.g., vulnerable backend SDKs for mobile apps, we have discovered six types of exploits. These exploits enable the attacker to violate user privacy and shop for free in the victim apps, affecting millions of users. Finally, we propose the fixings to defend against these exploits. We have shared our findings with the affected Cashiers and got their positive responses.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter DSS: Discrepancy-Aware Seed Selection Method for ICS Protocol Fuzzing

Available only for authorised users

For the rest of the paper, we use mobile payment to denote the third-party payment services for mobile apps, if not specified otherwise.

Apkpure: Apkpure (2019). https://apkpure.com/

Chen, S., et al.: An empirical assessment of security risks of global android banking apps. In: ICSE 2020 (2020)

Chen, Y., et al.: Devils in the guidance: predicting logic vulnerabilities in payment syndication services through automated documentation analysis. In: USENIX 2019 (2019)

Fortune Business Insights: Mobile payment market size, share & industry analysis (2020). https://www.fortunebusinessinsights.com/industry-reports/mobile-payment-market-100336

Hardt, D.: The OAuth 2.0 authorization framework (2012)

Haupert, V., Maier, D., Müller, T.: Paying the price for disruption: how a fintech allowed account takeover. In: ROOTS 2017 (2017)

Jones, M., et al.: JSON web token (JWT) (2012)

Kadhiwal, S., Zulfiquar, A.U.S.: Analysis of mobile payment security measures and different standards. Comput. Fraud Secur. 2007(6), 12–16 (2007)CrossRef

Kaur, R., Li, Y., Iqbal, J., Gonzalez, H., Stakhanova, N.: A security assessment of HCE-NFC enabled e-wallet banking android apps. In: COMPSAC 2018, vol. 02 (2018)

10.

Kumar, R., Kishore, S., Lu, H., Prakash, A.: Security analysis of unified payments interface and payment apps in India. In: USENIX Security 2020 (2020)

11.

Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 1–29 (2014)CrossRef

12.

Liu, W., Wang, X., Peng, W.: State of the art: secure mobile payment. IEEE Access 8, 13898–13914 (2020)CrossRef

13.

Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)

14.

MITRE: CVE-2018-13439 (2018). https://www.cvedetails.com/cve/CVE-2018-13439/

15.

Mulliner, C., Robertson, W., Kirda, E.: VirtualSwindle: an automated attack against in-app billing on android. In: ASIA CCS 2014 (2014)

16.

PHP: API document of hash function in PHP (2020). https://www.php.net/manual/en/function.hash.php

17.

Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.: Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security 2015 (2015)

18.

Reynaud, D., Song, D., Magrino, T.R., Wu, E., Shin, E.C.: FreeMarket: shopping for free in android applications. In: NDSS 2012 (2012)

19.

Sun, F., Xu, L., Su, Z.: Detecting logic vulnerabilities in e-commerce applications. In: NDSS 2014 (2014)

20.

Tumbleson, C.: Apktool (2020). https://ibotpeaches.github.io/Apktool/

21.

Wang, R., Chen, S., Wang, X.F., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: S&P 2011 (2011)

22.

Wang, Y., Hahn, C., Sutrave, K.: Mobile payment security, threats, and challenges. In: MobiSecServ 2016 (2016)

23.

Wikipedia: Client Certificate (2020). https://en.wikipedia.org/wiki/Client_certificate

24.

Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: toward automatic protection of third-party web service integrations. In: NDSS 2013 (2013)

25.

Yang, W., et al.: Show me the money! finding flawed implementations of third-party in-app payment in android apps. In: NDSS 2017 (2017)

26.

Ye, Q., Bai, G., Dong, N., Dong, J.S.: Inferring implicit assumptions and correct usage of mobile payment protocols. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds.) SecureComm 2017. LNICST, vol. 238, pp. 469–488. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78813-5_24CrossRef

Title: Breaking and Fixing Third-Party Payment Service for Mobile Apps
Authors: Shangcheng Shi
Xianbo Wang
Wing Cheong Lau
Publisher: Springer International Publishing
Book: Applied Cryptography and Network Security
Print ISBN: 978-3-030-78374-7

Electronic ISBN: 978-3-030-78375-4

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-78375-4_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner