Shaymaa Abdulla Al-Delayel

DOI: https://doi.org/10.48550/arXiv.2202.00582

2022-01-31

Cryptography and Security

Abstract:This paper discusses the security posture of Android m-banking applications in Qatar. Since technology has developed over the years and more security methods are provided, banking is now heavily reliant on mobile applications for prompt service delivery to clients, thus enabling a seamless and remote transaction. However, such mobile banking applications have access to sensitive data for each bank customer which presents a potential attack vector for clients, and the banks. The banks, therefore, have the responsibility to protect the information of the client by providing a high-security layer to their mobile application. This research discusses m-banking applications for Android OS, its security, vulnerability, threats, and solutions. Two m-banking applications were analyzed and benchmarked against standardized best practices, using the combination of two mobile testing frameworks. The security weaknesses observed during the experimental evaluation suggest the need for a more robust security evaluation of a mobile banking application in the state of Qatar. Such an approach would further ensure the confidence of the end-users. Consequently, understanding the security posture would provide a veritable measure towards mbanking security and user awareness.

Polra Victor Falade,Grace Bunmi Ogundele

DOI: https://doi.org/10.48550/arXiv.2302.07586

2023-02-15

Cryptography and Security

Abstract:There is a rapid increase in the number of mobile banking applications' users due to an increase in smart mobile devices. Mobile banking is a financial transaction and service offered through mobile devices. Almost all financial institutions now provide mobile banking services to their customers. However, the security of mobile banking applications is of huge concern because of the amount of personal data and information they collect. If an attacker gets hold of personal information, they can access bank payment or card accounts. This research aims to analyze the vulnerability of the UK digital banks' applications to identify vulnerabilities in the apps and proffer countermeasures that can help improve the security of the bank applications. Androbugs, a vulnerability scanner, was used to analyze the vulnerability of six digital banks' android applications. Starling, Monese, Atom bank, Transferwise, Monzo, and Revolut were scanned. All the scanned digital banks' applications have vulnerabilities; however, some have more vulnerabilities than others. For example, Revolut's mobile application has the highest number of identified vulnerabilities. Therefore, there is need for more security in the digital banks' applications as well as other mobile banking applications.

V. N. Sastry,Sriramulu Bojjagani

DOI: https://doi.org/10.1109/CIC.2017.00022

2017-10-01

Abstract:Mobile devices are becoming targets for hackers and malicious users due to the multifold increase in its capabilities and usage. Security threats are more prominent in mobile payment and mobile banking applications (MBAs). As these MBAs, store, transmit and access sensitive and confidential information, so utmost priority should be given to secure MBAs. In this paper, we have analyzed MBAs of several banks running on two dominant platforms of Android & iOS using both static and dynamic analysis. We have proposed threat model, to detect various vulnerabilities rigorously. We have done a systematic investigation of different unknown vulnerabilities particularly in mobile banking applications and showed how MBAs are vulnerable to MitM attacks. We observe that some MBAs are using simple HTTP protocol to transfer user data without concerning about security requirements. In Most of the cases, MBAs are receiving the fake or self-signed certificates. These are blindly maintaining all certificates as sound and valid, which leads to SSL/TLS Man-in-the-Middle (MitM) attacks. We present a detailed analysis of the security of MBAs which will be useful for application developers, security testers, researchers, bankers and bank customers.

Computer Science

Alioune Diallo,Aicha War,Moustapha Awwalou Diouf,Jordan Samhi,Steven Arzt,Tegawendé F. Bissyande,Jacque Klein

2024-11-07

Abstract:The West African Economic and Monetary Union (WAEMU) states, characterized by widespread smartphone usage, have witnessed banks and financial institutions introducing mobile banking applications (MBAs). These apps empower users to perform transactions such as money transfers, bill payments, and account inquiries anytime, anywhere. However, this proliferation of MBAs also raises significant security concerns. Poorly implemented security measures during app development can expose users and financial institutions to substantial financial risks through increased vulnerability to cyberattacks. Our study evaluated fifty-nine WAEMU MBAs using static analysis techniques. These MBAs were collected from the 160 banks and financial institutions of the eight WAEMU countries listed on the Central Bank of West African States (BCEAO) website. We identified security-related code issues that could be exploited by malicious actors. We investigated the issues found in the older versions to track their evolution across updates. Additionally, we identified some banks from regions such as Europe, the United States, and other developing countries and analyzed their mobile apps for a security comparison with WAEMU MBAs. Key findings include: (1) WAEMU apps exhibit security issues introduced during development, posing significant risks of exploitation; (2) Despite frequent updates, underlying security issues often persist; (3) Compared to MBAs from developed and developing countries, WAEMU apps exhibit fewer critical security issues; and (4) Apps from banks that are branches of other non-WAEMU banks often inherit security concerns from their parent apps while also introducing additional issues unique to their context. Our research underscores the need for robust security practices in WAEMU MBAs development to enhance user safety and trust in financial services.

Cryptography and Security

Milad Taleby Ahvanooey,Qianmu Li,Mahdi Rabbani,Ahmed Raza Rajput

DOI: https://doi.org/10.48550/arXiv.2001.09406

2020-01-26

Cryptography and Security

Abstract:Nowadays, the usage of smartphones and their applications have become rapidly increasing popular in people's daily life. Over the last decade, availability of mobile money services such as mobile-payment systems and app markets have significantly increased due to the different forms of apps and connectivity provided by mobile devices such as 3G, 4G, GPRS, and Wi-Fi, etc. In the same trend, the number of vulnerabilities targeting these services and communication networks has raised as well. Therefore, smartphones have become ideal target devices for malicious programmers. With increasing the number of vulnerabilities and attacks, there has been a corresponding ascent of the security countermeasures presented by the researchers. Due to these reasons, security of the payment systems is one of the most important issues in mobile payment systems. In this survey, we aim to provide a comprehensive and structured overview of the research on security solutions for smartphone devices. This survey reviews the state of the art on security solutions, threats, and vulnerabilities during the period of 2011-2017, by focusing on software attacks, such those to smartphone applications. We outline some countermeasures aimed at protecting smartphones against these groups of attacks, based on the detection rules, data collections and operating systems, especially focusing on open source applications. With this categorization, we want to provide an easy understanding for users and researchers to improve their knowledge about the security and privacy of smartphones.

Sen Chen,Lingling Fan,Guozhu Meng,Ting Su,Minhui Xue,Yinxing Xue,Yang Liu,Lihua Xu

DOI: https://doi.org/10.48550/arXiv.1805.05236

2020-02-18

Abstract:Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps. Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related security weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named AUSERA, which leverages static program analysis techniques and sensitive keyword identification. By leveraging AUSERA, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the patching of weaknesses and receive much positive feedback from banking entities so as to improve the security of banking apps in practice. To date, we highlight that 21 banks have confirmed the weaknesses we reported. We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Cryptography and Security

Layth Abu Arram,Mohammed Moreb

DOI: https://doi.org/10.1109/ICIT52682.2021.9491657

2021-07-14

Abstract:Smartphones have developed tremendously in the recent period up to recent days, each period a new company appears to enter the global competition market to impose itself, and this is directly proportional to the emergence of new applications every day for various devices, as well as the field of Cybersecurity has several aspects, including in the field of phones and smartphones especially with the exploitation of the large increase in the number of its users, many immoral hackers have greedy to exploit these applications for their personal interests, either theft, destruction, plagiarism, or many others. This research shows how these applications are exploited, especially in Android devices, and how such cases can be dealt with and avoided using the quantitative methodology, data analysis and results from presentation.

Computer Science

Wenbo Yang,Juanru Li,Yuanyuan Zhang,Dawu Gu

DOI: https://doi.org/10.1016/j.jisa.2019.102358

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:The massive growth of smart mobile devices has attracted numerous apps to embed third-party in-app payment, which involves more sophisticated interactions between multiple participants compared to traditional payments. Therefore, such payment is error prone and could be exploited easily, leading to serious financial deceptions. To investigate current third-party mobile payment ecosystem and find potential security threats, we conduct an in-depth analysis against China–world’s largest mobile payment market. We study four mainstream third-party mobile payment cashiers, and conclude unified process models. We also summarize the security rules that must be regulated by cashiers and merchants and illustrate four types of attacks if violating these rules. Besides, we also detect seven cases of security rule violation on both Android and iOS platform. Our detection result shows that hundreds of popular apps violate at least one security rule, and hence face with various security risks, allowing attackers to consume commodities or services without purchasing them or deceiving others to pay for them. Our further investigation reveals that cashiers as well as merchants should be responsible for those vulnerable cases. We also performed proof-of-concept attacks in real world, reported these issues to all involved parties and helped them fix the vulnerabilities.

Alioune Diallo,Jordan Samhi,Tegawendé Bissyandé,Jacques Klein

2024-09-24

Abstract:In developing countries, several key sectors, including education, finance, agriculture, and healthcare, mainly deliver their services via mobile app technology on handheld devices. As a result, mobile app security has emerged as a paramount issue in developing countries. In this paper, we investigate the state of research on mobile app security, focusing on developing countries. More specifically, we performed a systematic literature review exploring the research directions taken by existing works, the different security concerns addressed, and the techniques used by researchers to highlight or address app security issues. Our main findings are: (1) the literature includes only a few studies on mobile app security in the context of developing countries ; (2) among the different security concerns that researchers study, vulnerability detection appears to be the leading research topic; (3) FinTech apps are revealed as the main target in the relevant literature. Overall, our work highlights that there is largely room for developing further specialized techniques addressing mobile app security in the context of developing countries.

Cryptography and Security

Nahid Joveda,Md. Tarek Khan,Abhijit Pathak

DOI: https://doi.org/10.5539/ijef.v11n10p54

2019-09-17

International Journal of Economics and Finance

Abstract:Cyberspace is a great media for exchanging information and data in the arena of E-banking. Banks are under pressure for the establishment of digitalization in its day by day operations to satisfy the clients' need. But the abuse of information technology has become a menace in the banking sector of Bangladesh. Concealing of original source and using advance technological solutions to transfer money illegally– the whole phenomenon is called Cyber laundering. This paper offers insights to increase an understanding of the nexus of corruption in banks, local economy and money laundering scandals. It examines the launderers' typology of crimes— both potential and real. Through this paper it is a small initiative to point out the national control mechanisms to deal with the issues of money laundering in banks. The research is based on accessible data from papers, journals, various reports, etc. The illicit flow of money through banks has created worldwide millions of dollar misfortunes. This paper focuses on creating a Cybersecurity system for detecting money laundering as it has become a threat to Bangladesh's economy. Are there any self-evident weaknesses in the financial framework that make it treatable efficiently? It is critical to acknowledge that how the security viewpoints in a financial framework can impact such unlawful exercises which are then lead to an extraordinary lost to the economic development.

Ayeasha Akhter,Ahmed Al Asheq,Md. Uzzal Hossain,Md. Mobarak Karim

DOI: https://doi.org/10.21511/bbs.15(2).2020.10

2020-05-19

Banks and Bank Systems

Abstract:As the number of smart phone users and the popularity of Internet among people are growing day by day in Bangladesh, it became necessary for Bangladeshi local banks to provide mobile banking services to their customers. Therefore, this study seeks to identify the crucial and determining factors that may affect the intention of customers to use mobile banking services. The sample size in this study is 91, in which majority are the students of Business Studies. All respondents have mobile banking at the time of the survey. The samples in the study were mainly drawn from the private university students (i.e. Business Administration students) and faculty members, and some bank officers participated as sample respondents in this study. A non-probability random sampling method is applied, and a 5% significance level is used to accept the hypotheses. Cronbach alpha (α) of 0.7 and above is considered to measure the reliability of the item wise variables. This study examines six variables (perceived usefulness, perceived ease of use, trust, security, perceived privacy, and technology competency) to analyze their impact on the behavioral intention of banking customers to use mobile banking services. Three variables, namely perceived usefulness, security, and technology competency, are found to be significant predictors of customers’ intent to use mobile banking in Bangladesh. For analytical purposes, SPSS version 23.0 is used to test hypotheses. The paper also provides significant implications for bank managers to increase the adoption of mobile banking for their sustainability.

Albin Forsberg,Leonardo Horn Iwaya

2024-09-27

Abstract:Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption raises concerns regarding the security of the user's data. In this study, we investigate the security vulnerabilities of ten top-ranked Android health and fitness apps, a set that accounts for 237 million downloads. We performed several static and dynamic security analyses using tools such as the Mobile Security Framework (MobSF) and Android emulators. We also checked the server's security levels with Qualys SSL, which allowed us to gain insights into the security posture of the servers communicating with the mHealth fitness apps. Our findings revealed many vulnerabilities, such as insecure coding, hardcoded sensitive information, over-privileged permissions, misconfiguration, and excessive communication with third-party domains. For instance, some apps store their database API key directly in the code while also exposing their database URL. We found insecure encryption methods in six apps, such as using AES with ECB mode. Two apps communicated with an alarming number of approximately 230 domains each, and a third app with over 100 domains, exacerbating privacy linkability threats. The study underscores the importance of continuous security assessments of top-ranked mHealth fitness apps to better understand the threat landscape and inform app developers.

Cryptography and Security

Muhammad Nazrul Islam,Md. Mahboob Karim,Toki Tahmid Inan,A. K. M. Najmul Islam

DOI: https://doi.org/10.1186/s12911-020-1033-3

2020-04-15

Abstract:Background: Lack of usability can be a major barrier for the rapid adoption of mobile services. Therefore, the purpose of this paper is to investigate the usability of Mobile Health applications in Bangladesh. Method: We followed a 3-stage approach in our research. First, we conducted a keyword-based application search in the popular app stores. We followed the affinity diagram approach and clustered the found applications into nine groups. Second, we randomly selected four apps from each group (36 apps in total) and conducted a heuristic evaluation. Finally, we selected the highest downloaded app from each group and conducted user studies with 30 participants. Results: We found 61% usability problems are catastrophe or major in nature from heuristic inspection. The most (21%) violated heuristic is aesthetic and minimalist design. The user studies revealed low System Usability Scale (SUS) scores for those apps that had a high number of usability problems based on the heuristic evaluation. Thus, the results of heuristic evaluation and user studies complement each other. Conclusion: Overall, the findings suggest that the usability of the mobile health apps in Bangladesh is not satisfactory in general and could be a potential barrier for wider adoption of mobile health services.

Human-Computer Interaction,Computers and Society

Gioacchino Tangari,Muhammad Ikram,I Wayan Budi Sentana,Kiran Ijaz,Mohamed Ali Kaafar,Shlomo Berkovsky

DOI: https://doi.org/10.1093/jamia/ocab131

2021-09-18

Abstract:Objective: We conduct a first large-scale analysis of mobile health (mHealth) apps available on Google Play with the goal of providing a comprehensive view of mHealth apps' security features and gauging the associated risks for mHealth users and their data. Materials and methods: We designed an app collection platform that discovered and downloaded more than 20 000 mHealth apps from the Medical and Health & Fitness categories on Google Play. We performed a suite of app code and traffic measurements to highlight a range of app security flaws: certificate security, sensitive or unnecessary permission requests, malware presence, communication security, and security-related concerns raised in user reviews. Results: Compared to baseline non-mHealth apps, mHealth apps generally adopt more reliable signing mechanisms and request fewer dangerous permissions. However, significant fractions of mHealth apps expose users to serious security risks. Specifically, 1.8% of mHealth apps package suspicious codes (eg, trojans), 45.0% rely on unencrypted communication, and as much as 23.0% of personal data (eg, location information and passwords) is sent on unsecured traffic. An analysis of the app reviews reveals that mHealth app users are largely unaware of the surfaced security issues. Conclusion: Despite being better aligned with security best practices than non-mHealth apps, mHealth apps are still far from ensuring robust security guarantees. App users, clinicians, technology developers, and policy makers alike should be cognizant of the uncovered security issues and weigh them carefully against the benefits of mHealth apps.

Amr Amin,Amgad Eldessouki,Menna Tullah Magdy,Nouran Abdeen,Hanan Hindy,Islam Hegazy

DOI: https://doi.org/10.3390/info10100326

2019-10-22

Information

Abstract:The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

Hui Liu,Yuanyuan Zhang,Juanru Li,Hui Wang,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-45817-5_51

2016-01-01

Abstract:Web authentication security can be undermined by flawed mobile web implementations. Mobile web implementations may use less secure transport channel and enforce less strict brute-force-proof measures, making web authentication services vulnerable to typical attacks such as password cracking. This paper presents an in-depth penetration testing based on a comprehensive dynamic app analysis focusing on vulnerable authentication implementations of Android apps. An analysis of Top 200 apps from China Android Market and Top 100 apps from Google Play Market is conducted. The result shows that 71.3 % apps we analyze fails to protect users’ password appropriately. And an experiment carried out among 20 volunteers indicates that 84.4 % passwords can be cracked with the knowledge of password transformation process.

Fangda Cai,Hao Chen,Yuanyi Wu,Yuan Zhang

2014-01-01

Abstract:A fundamental security principle in developing networked applications is end-to-end security, where the confidentiality and integrity of the data transmitted over the network do not rely on the security of the network. In response to the ever increasing traffic from mobile apps, WiFi networks are spreading fast and widely. Since WiFi networks are unregulated, a passive attacker may eavesdrop on the traffic on open WiFi networks, while an active attacker may set up his own WiFi network to modify its traffic at will. In theory, end-to-end security should protect mobile apps from both these attacks; in practice, however, the situation is far less rosy.We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks. We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization. We analyze both their code and their network traffic to identify vulnerabilities. We design a mini-language for describing the vulnerabilities and develop a tool, AppCracker, that launches both passive and active attacks on these apps to verify their vulnerabilities. AppCracker has confirmed that 100 apps from 69 companies are vulnerable during their user or session authentication. These vulnerabilities allow an adversary to capture the victim user’s login credentials or to hijack the victim’s session. We describe these diverse types of vulnerabilities, many of which are caused by the misuse of cryptography in their homegrown cryptographic protocols. Finally, we discuss the lessons learned during our investigation to help …

Ikram Ul Haq,Tamim Ahmed Khan

DOI: https://doi.org/10.1109/access.2021.3088229

IF: 3.9

2021-01-01

IEEE Access

Abstract:The invention of smartphones has opened a new market for mobile application development. Amateur android app developers often do not possess knowledge of the latest android vulnerabilities and thus create applications with attack surface that hackers exploit. In this literature review, many available frameworks and techniques have been analyzed using ISO/IEC 25010 software quality model and identified challenges that android developers face in designing a secure application for android. This paper also presents a comprehensive survey of different penetration tools, evaluated by using criteria such as code analysis, code review, vulnerability analysis, vulnerability exploit, payload and whether these can be used in vulnerability modeling during the design phase. Our study effectively identifies the issues and gaps which can further help develop a framework/tool for designing a penetration secure mobile application by embedding all the vulnerabilities during the design phase using an android vulnerability repository.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bakheet Aljedaani,Aakash Ahmad,Mansooreh Zahedi,M. Ali Babar

DOI: https://doi.org/10.48550/arXiv.2008.03034

2020-08-07

Abstract:Mobile apps exploit embedded sensors and wireless connectivity of a device to empower users with portable computations, context-aware communication, and enhanced interaction. Specifically, mobile health apps (mHealth apps for short) are becoming integral part of mobile and pervasive computing to improve the availability and quality of healthcare services. Despite the offered benefits, mHealth apps face a critical challenge, i.e., security of health critical data that is produced and consumed by the app. Several studies have revealed that security specific issues of mHealth apps have not been adequately addressed. The objectives of this study are to empirically (a) investigate the challenges that hinder development of secure mHealth apps, (b) identify practices to develop secure apps, and (c) explore motivating factors that influence secure development. We conducted this study by collecting responses of 97 developers from 25 countries, across 06 continents, working in diverse teams and roles to develop mHealth apps for Android, iOS, and Windows platform. Qualitative analysis of the survey data is based on (i) 8 critical challenges, (ii) taxonomy of best practices to ensure security, and (iii) 6 motivating factors that impact secure mHealth apps. This research provides empirical evidence as practitioners view and guidelines to develop emerging and next generation of secure mHealth apps.

Software Engineering,Computers and Society

Che Li,Yue Zhou,Shuang Li,Yaru Deng,Meng Zhang,Kanghui Wang

DOI: https://doi.org/10.1109/ICIS51600.2021.9516873

2021-06-23

Abstract:Privacy protection is a vital part of information security. However, the excessive collections and uses of personal information have intensified in the area of mobile apps (applications). To comprehend the current situation of APP personal information security problem of APP, this paper uses a combined approach of static analysis technology, dynamic analysis technology, and manual review to detect and analyze the installed file of mobile apps. 40 mobile apps are detected as experimental samples. The results demonstrate that this combined approach can effectively detect various issues of personal information security problem in mobile apps. Statistics analysis of the experimental results demonstrate that mobile apps have outstanding problems in some aspects of personal information security such as privacy policy, permission application, information collection, data storage, etc.

Computer Science