VAPTAi: A Threat Model for Vulnerability Assessment and Penetration Testing of Android and iOS Mobile Banking Apps

Mobile devices are becoming targets for hackers and malicious users due to the multifold increase in its capabilities and usage. Security threats are more prominent in mobile payment and mobile banking applications (MBAs). As these MBAs, store, transmit and access sensitive and confidential information, so utmost priority should be given to secure MBAs. In this paper, we have analyzed MBAs of several banks running on two dominant platforms of Android & iOS using both static and dynamic analysis. We have proposed threat model, to detect various vulnerabilities rigorously. We have done a systematic investigation of different unknown vulnerabilities particularly in mobile banking applications and showed how MBAs are vulnerable to MitM attacks. We observe that some MBAs are using simple HTTP protocol to transfer user data without concerning about security requirements. In Most of the cases, MBAs are receiving the fake or self-signed certificates. These are blindly maintaining all certificates as sound and valid, which leads to SSL/TLS Man-in-the-Middle (MitM) attacks. We present a detailed analysis of the security of MBAs which will be useful for application developers, security testers, researchers, bankers and bank customers.

[1]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[2]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[3]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[5]  Bing Mao,et al.  DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware , 2013, ASIA CCS '13.

[6]  V. N. Sastry,et al.  A secure end‐to‐end SMS‐based mobile banking protocol , 2017, Int. J. Commun. Syst..

[7]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[8]  Karen Scarfone,et al.  A standard for developing secure mobile applications , 2014, Comput. Stand. Interfaces.

[9]  Xin Chen,et al.  DroidJust: automated functionality-aware privacy leakage analysis for Android applications , 2015, WISEC.

[10]  Christoforos Ntantogian,et al.  Evaluation of Cryptography Usage in Android Applications , 2015, EAI Endorsed Trans. Security Safety.

[11]  Xi Wang,et al.  Why does cryptographic software fail?: a case study and open problems , 2014, APSys.

[12]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[13]  Kangbin Yim,et al.  Malware Obfuscation Techniques: A Brief Survey , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[14]  Rua-Huan Tsaih,et al.  Clustering iOS executable using self-organizing maps , 2013, The 2013 International Joint Conference on Neural Networks (IJCNN).

[15]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[16]  Jeong-Nyeo Kim,et al.  DroidVulMon -- Android Based Mobile Device Vulnerability Analysis and Monitoring System , 2013, 2013 Seventh International Conference on Next Generation Mobile Apps, Services and Technologies.

[17]  Avinash Srinivasan,et al.  Exploring an open WiFi detection vulnerability as a malware attack vector on iOS devices , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[18]  Hao Chen,et al.  AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps * , 2014 .

[19]  Yu Chen,et al.  A study of SSL Proxy attacks on Android and iOS mobile applications , 2014, 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC).

[20]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[21]  Juanru Li,et al.  iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications , 2014, NSS.

[22]  Ahmad-Reza Sadeghi,et al.  PSiOS: bring your own privacy & security to iOS devices , 2013, ASIA CCS '13.

[23]  V. N. Sastry,et al.  STAMBA: Security Testing for Android Mobile Banking Apps , 2015, SIRS.

[24]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[25]  Karen A. Scarfone,et al.  Vetting the Security of Mobile Applications , 2015 .

[26]  Tai-Myung Chung,et al.  Dangerous Wi-Fi access point: attacks to benign smartphone applications , 2013, Personal and Ubiquitous Computing.

[27]  Saba Arshad,et al.  Android Malware Detection & Protection: A Survey , 2016 .

[28]  François Gagnon,et al.  AndroSSL: A Platform to Test Android Applications Connection Security , 2015, FPS.

[29]  V. N. Sastry,et al.  SSMBP: A secure SMS-based mobile banking protocol with formal verification , 2015, 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).