Security analysis of third-party in-app payment in mobile applications

Abstract The massive growth of smart mobile devices has attracted numerous apps to embed third-party in-app payment, which involves more sophisticated interactions between multiple participants compared to traditional payments. Therefore, such payment is error prone and could be exploited easily, leading to serious financial deceptions. To investigate current third-party mobile payment ecosystem and find potential security threats, we conduct an in-depth analysis against China–world’s largest mobile payment market. We study four mainstream third-party mobile payment cashiers, and conclude unified process models. We also summarize the security rules that must be regulated by cashiers and merchants and illustrate four types of attacks if violating these rules. Besides, we also detect seven cases of security rule violation on both Android and iOS platform. Our detection result shows that hundreds of popular apps violate at least one security rule, and hence face with various security risks, allowing attackers to consume commodities or services without purchasing them or deceiving others to pay for them. Our further investigation reveals that cashiers as well as merchants should be responsible for those vulnerable cases. We also performed proof-of-concept attacks in real world, reported these issues to all involved parties and helped them fix the vulnerabilities.

[1]  Yajin Zhou,et al.  Harvesting developer credentials in Android apps , 2015, WISEC.

[2]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[3]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[4]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems , 2017, ACM Trans. Priv. Secur..

[5]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[6]  Juanru Li,et al.  iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications , 2014, NSS.

[7]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[8]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[9]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[10]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[11]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[12]  Georgios Kambourakis,et al.  The best of both worlds: a framework for the synergistic operation of host and cloud anomaly-based IDS for smartphones , 2014, EuroSec '14.

[13]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[14]  Yuan Zhang,et al.  Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps , 2018, NDSS.

[15]  Mu Zhang,et al.  Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation , 2018, NDSS.

[16]  Tongxin Li,et al.  Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services , 2014, CCS.

[17]  Zhendong Su,et al.  Detecting Logic Vulnerabilities in E-commerce Applications , 2014, NDSS.

[18]  Shi-Min Hu,et al.  Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment , 2017, USENIX Security Symposium.

[19]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  Qing Wang,et al.  Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps , 2017, NDSS.

[21]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[22]  Alessandro Armando,et al.  Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications , 2016, NDSS.

[23]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[24]  William K. Robertson,et al.  VirtualSwindle: an automated attack against in-app billing on android , 2014, AsiaCCS.

[25]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[26]  Hui Liu,et al.  Vulnerability Assessment of OAuth Implementations in Android Applications , 2015, ACSAC 2015.