Fuzzing of Mobile Application in the Banking Domain: a Case Study

Mobile applications are today ubiquitous, and everybody uses them on a daily basis. This applies also to security-critical mobile applications such as online banking apps. In today's architectures, these mobile applications are usually fed from the same source as mobile applications on smart phones, i.e. web services. This makes security testing of web services inevitable. Furthermore, regulation increases and requires stronger security mechanisms as with the strong customer authentication from the Revised European Payment Services Directive (PSD2). Automated security testing is a way to cope with the increasing requirements on assuring the security of such web services and their implemented security controls whilst dealing with decreasing resources for such efforts. In this paper, we present our experiences from a case study provided by Kuveyt Türk Bank performed within the ITEA-3 project TESTOMAT where we introduced automated security testing in terms of fuzzing to complement manual security testing.

[1]  Mark Harman,et al.  The Oracle Problem in Software Testing: A Survey , 2015, IEEE Transactions on Software Engineering.

[2]  Jürgen Großmann,et al.  Online Model-Based Behavioral Fuzzing , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[3]  Ian Oliver,et al.  SMS and one-time-password interception in LTE networks , 2017, 2017 IEEE International Conference on Communications (ICC).

[4]  Pasi Kuvaja,et al.  Dimensions of DevOps , 2015, XP.

[5]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[6]  Jun Sun,et al.  Towards Model Checking Android Applications , 2018, IEEE Transactions on Software Engineering.

[7]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[8]  Roland Groz,et al.  Finding Software Vulnerabilities by Smart Fuzzing , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[9]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[10]  Richard J. Enbody,et al.  Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing , 2007 .

[11]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[12]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[13]  Jürgen Großmann,et al.  Behavioral Fuzzing Operators for UML Sequence Diagrams , 2012, SAM.

[14]  Jeffrey M. Voas,et al.  Metamorphic Testing for Cybersecurity , 2016, Computer.

[15]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[16]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[17]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Laurent Mounier,et al.  A Model-Based Approach for Robustness Testing , 2005, TestCom.

[19]  Vahid Garousi,et al.  Transitioning from Manual to Automated Software Regression Testing: Experience from the Banking Domain , 2018, 2018 25th Asia-Pacific Software Engineering Conference (APSEC).