STAMBA: Security Testing for Android Mobile Banking Apps

Mobile banking activity plays a major role for M-Commerce (Mobile-Commerce) applications in our daily life. With the increasing usage on mobile phones, vulnerabilities against these devices raised exponentially. The privacy and security of confidential financial data is one of the major issues in mobile devices. Android is the most popular operating system, not only to users but also for companies and vendors or (developers in android) of all kinds. Of course, because of this reason, it’s also become quite popular to malicious adversaries. For this, mobile security and risk assessment specialists and security engineers are in high demand. In this paper, we propose STAMBA (Security Testing for Android Mobile Banking Apps) and demonstrate tools at different levels. These supported tools are used to find threats at a mobile application code level, communication or network level, and at a device level. We give a detailed discussion about vulnerabilities that help design for further app development and a detailed automated security testing for mobile banking applications.

[1]  Patrick D. McDaniel,et al.  Semantically rich application-centric security in Android , 2012 .

[2]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[3]  Sugata Sanyal,et al.  Application Security framework for Mobile App Development in Enterprise setup , 2015, ArXiv.

[4]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[5]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[6]  Yong Wang,et al.  Mobile security testing approaches and challenges , 2015, 2015 First Conference on Mobile and Secure Services (MOBISECSERV).

[7]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[8]  Ken Dunham,et al.  Android Malware and Analysis , 2014 .

[9]  Qing Hu,et al.  Are Mobile Payment and Banking the Killer Apps for Mobile Commerce? , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[10]  Ray Hunt Security testing in Android networks - A practical case study , 2013, 2013 19th IEEE International Conference on Networks (ICON).

[11]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[12]  Lorrie Faith Cranor,et al.  P3P: Making Privacy Policies More Useful , 2003, IEEE Secur. Priv..

[13]  James King Android Application Security with OWASP Mobile Top 10 2014 , 2014 .

[14]  Jason Moore,et al.  Network and device forensic analysis of Android social-messaging applications , 2015, Digit. Investig..

[15]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[16]  Dongjing He,et al.  Security threats to Android apps , 2014 .

[17]  Marin Silic,et al.  Emerging security threats for mobile platforms , 2011, 2011 Proceedings of the 34th International Convention MIPRO.

[18]  Claudio Soriente,et al.  Personalized Security Indicators to Detect Application Phishing Attacks in Mobile Platforms , 2015, ArXiv.

[19]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[20]  Yu Zhang,et al.  An Investigation of Features and Security in Mobile Banking Strategy , 2013, Journal of International Technology and Information Management.