Yanhui Guo,Yuqing Gou,Wanrong Chen,Miao Zhang,Dawei Sun

DOI: https://doi.org/10.1109/iccce48422.2019.9010782

2019-01-01

Abstract:Mobile payment becomes more and more popular, and the main way of mobile payment, third-party payment, still faces many security problems. Based on the mainstream Android platform, this paper studies the payment process of the third-party payment platform and analyzes the security defects and security problems that may occur when the application developers realize the third-party payment process. The paper tested the security defects through experiments, and the test results showed that the integration of third-party payment functions was relatively popular in applications, and many applications integrating third-party payment functions had different degrees of security defects.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

Yadong Zhou,Tianyi Yue,Xiaoming Liu,Chao Shen,Lingling Tong,Zhihao Ding

DOI: https://doi.org/10.1016/j.neucom.2020.10.007

IF: 6

2021-01-01

Neurocomputing

Abstract:As a successful business model, “in-app purchase” has been adopted by massive applications (Apps) gradually. Users can purchase various virtual goods in different kinds of Apps, such as the license to download movies or songs. In-app purchase helps App operators gain huge income, and meanwhile provides users with flexibility in using Apps. Recently, iOS Apps have suffered the attack of fraudulent purchase. Attackers leverage the vulnerabilities in iOS payment system to purchase virtual goods at zero or low cost. More seriously, unscrupulous attackers solicit customers publicly and provide purchasing services, which has caused huge financial loss to business entities. It becomes of great importance to detect the fraudulent in-app purchases in iOS Apps, and then take measures such as confiscating goods to minimize profit loss. In this paper, we propose a system called Payment-Guard to achieve this objective, which designs various features to characterize a purchase from four perspectives including App account behavior, device behavior, IP behavior and union behavior of (App account, device, IP), then conducts detection based on the features. We perform comprehensive experiments based on data collected from “Honor of Kings” App, which is one of the most famous MOBA games in China and allows players to recharge App accounts for virtual currency. Experimental results demonstrated that Payment-Guard can detect 92.2% malicious in-app purchases and with only 2% false positive rate.

Sen Chen,Guozhu Meng,Ting Su,Lingling Fan,Yinxing Xue,Yang Liu,Lihua Xu,Minhui Xue,Bo Li,Shuang Hao

2018-01-01

Abstract:Contemporary financial technology (FinTech) that enables cashless mobile payment has been widely adopted by financial institutions, such as banks, due to its convenience and efficiency. However, FinTech has also made massive and dynamic transactions susceptible to security risks. Given large financial losses caused by such vulnerabilities, regulatory technology (RegTech) has been developed, but more comprehensive security risk assessment is specifically desired to develop robust, scalable, and efficient financial activities. In this paper, we undertake the first automated security risk assessment and focus on global banking apps to examine FinTech. First, we analyze a large number of banking apps and propose a comprehensive set of security weaknesses widely existent in these apps. Second, we design a three-phase automated security risk assessment system (Ausera), which combines natural language processing and static analysis of data and control flows, to efficiently identify security weaknesses of banking apps. We performed experiments on 693 real-world banking apps across over 80 countries and unveiled 2,157 weaknesses. To date, 21 banks have acknowledged the weaknesses that we reported. We find that outdated version of banking apps, pollution from third-party libraries, and weak hash functions are all likely to be exploited by attackers. We also show that banking apps of different provenance exhibit various types of security weaknesses, mainly due to economies and regulations that take shape. Given the drastic change in the nature of intermediation, it behooves the RegTech companies and all stakeholders to understand the characteristics and consequences of security risks brought by contemporary FinTech.

Wenzheng Liu,Xiaofeng Wang,Wei Peng

DOI: https://doi.org/10.1109/access.2019.2963480

IF: 3.9

2020-01-01

IEEE Access

Abstract:With mobile payments popular around the world, payers can conduct a payment anytime and anywhere. While providing great convenience, mobile payment also brings many payment security issues. This paper is the first comprehensive review of secure mobile payment. We classify the mobile payment into TPC (third-party payment company)-led mobile payment and Bank-led mobile payment, and based on this, summarize the system structure of mobile payment. Then we discuss the mobile payment security technology framework from Tokenization, PAN (bank card primary account number) binding, and Secure Payment Authentication, respectively. Besides, this paper introduces secure technologies(hardware and software) used in these procedures, discusses and analyzes the security issues that they have been encountered, summarise open issues, and proposes future development directions. In the end, we give the discussion and comparison of popular and representative mobile payment applications, including Alipay, Wechat Pay, Apple Pay, Samsung Pay, and Google Pay.

Zhibo Zhang,Lei Zhang,Guangliang Yang,Yanjun Chen,Jiahao Xu,Min Yang

DOI: https://doi.org/10.1109/tifs.2024.3390553

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In app-in-app ecosystems, mobile applications (i.e., host apps) often delegate their rich resources to hosted parties (i.e., sub-apps), which can be utilized to provide millions of effective services including shopping, banking, and government. These resources vary from system abilities (e.g., web socket and GPS location) to app and user data (e.g., storage and phone number). This leads to an important research question-carefully design and enforce security regulations on these cross-party delegated resources (CPDR). Real-world host apps, according to our study, adopt 11 common security regulations in protecting the integrity, confidentiality, and availability of CPDR. However, existing practice and compliance between host apps and sub-apps are vague and inconsistent, leading to violations of these security regulations. To the best of our knowledge, no prior works have studied these security regulations. In this paper, we perform the first systematic study of the security regulations and their security weaknesses in real-world app-in-app ecosystems. We propose three novel attack vectors including masquerade attack, data-driven attack, and channel hijacking. We find that violations of the common security regulations are widespread among all 9 studied app-in-app ecosystems. More importantly, such security weakness can lead to severe consequences such as manipulating sub-apps' back-end servers and stealing sensitive user data. We responsibly report all of our findings to host app developers of affected app-in-app ecosystems and help them fix their vulnerabilities. The code of this work is available at https://github.com/TitaniumB/MiniAppSecurity.git.

Kai MA,Shan-Qing GUO

DOI: https://doi.org/10.13328/j.cnki.jos.005497

2018-01-01

Abstract:To shorten the application development time,many Android developers include third-party SDKs in their apps.Third party SDKs are toolkits developed by third-party service companies such as advertising platforms,data providers,social network,and map service providers.These third party SDKs have become an important part of the Android ecosystem.If an SDK contains security vulnerabilities,all the apps that include it would become vulnerable,which severely affects the security of the Android ecosystem.Toaddress this issue,this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security.In order to improve the accuracy of the analysis,demo apps of third-party SDKs are taken as analysis object,and certain effective Android-app analysis methods (such as static taint tracking,dynamic taint tracking and dynamic binary instrumentation) and analysis tools (such as flowdroid and droidbox) are employed.The result shows that more than 60％ of the collected third-party SDKs contain various of vulnerabilities (e.g.misuse of HTTP,misuse of SSL/TLS,abuse of sensitive permissions,identification,vulnerabilities brought by the local server,information leakage through logging,mistakes of applications developers),which is a threat to the related applications and the users of these applications.

Sen Chen,Lingling Fan,Guozhu Meng,Ting Su,Minhui Xue,Yinxing Xue,Yang Liu,Lihua Xu

DOI: https://doi.org/10.48550/arXiv.1805.05236

2020-02-18

Abstract:Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps. Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related security weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named AUSERA, which leverages static program analysis techniques and sensitive keyword identification. By leveraging AUSERA, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the patching of weaknesses and receive much positive feedback from banking entities so as to improve the security of banking apps in practice. To date, we highlight that 21 banks have confirmed the weaknesses we reported. We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Cryptography and Security

Tianqi Wang,Ting Liu,Huimin Zhu

DOI: https://doi.org/10.56397/ist.2024.01.07

2024-01-01

Abstract:As the mobile payment landscape continues to evolve rapidly, this paper examines the emerging threats and future challenges facing Alipay and the broader industry. The analysis encompasses cybersecurity innovations, regulatory landscape changes, user privacy concerns, integration with emerging technologies, global expansion challenges, competition and market saturation, technological infrastructure scalability, consumer education and trust, geopolitical risks, and social and ethical considerations. With the aim of fostering a comprehensive understanding, the paper explores how Alipay can strategically adapt to these challenges through continuous innovation, regulatory compliance, user-centric approaches, and global collaboration. The insights derived from this exploration contribute to a holistic perspective on the dynamic future of mobile payments.

Yong Xu,Xueyan Liu,Ruiying Yao

DOI: https://doi.org/10.1109/icmecg.2009.74

2009-01-01

Abstract:This article introduced the existing third-party mobile payment model, as well as third-party network security payment model and analysis their pros and cons and then concluded a mobile payment model of a combination of the two models - mobile payment model based on third-party security .Then systematically introduced the model structure, made the detailed design of their payment flow and pointed out its market advantages and characteristics of the application.

Fannv He,Yan Jia,Jiayu Zhao,Yue Fang,Jice Wang,Mengyue Feng,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.14722/ndss.2024.24241

2024-01-01

Abstract:Authentication is one of the established practices to ensure user security.Personally identifiable information (PII), such as national identity card number (ID number) and bank card number, is used widely in China's mobile apps as an additional secret to authenticate users, i.e., PII-as-Factor Authentication (PaFA).In this paper, we found a new threat that calls on the cautiousness of PaFA: the simultaneous usages and business-related interactions of apps make the authentication strength of a target app weaker than designed.An adversary, who knows fewer authentication factors (only SMS OTP) than a PaFA system required, can break the authentication by gathering information or abusing cross-app authorization from other apps.To systematically study the potential risks, we proposed a semiautomatic system, MAGGIE, to evaluate the security of PaFA in target apps.By measuring 234 real-world apps in Chinese app markets with the help of MAGGIE, we found 75.4% of apps that deployed PaFA can be bypassed, including the popular and sensitive ones (e.g., AliPay, WeChat, UnionPay), leading to severe consequences like hijack user accounts and making unauthorized purchases.Additionally, we conducted a survey to demonstrate the practical implications of the new risk on users.Finally, we reported our findings to the vendors and provided several mitigation measures.

Xi CHEN,You-liang TIAN,Zhuo MA,Jian-feng MA

2014-01-01

Abstract:There is no doubt that mobile payment is the spotlight in Internet finance now.Although users can enjoy quick and convenient services,they have to face with more severe security problems at the same time:the attack incidents,such as cellphone Trojan and privacy leaks emerge endlessly.Lots of viruses which are designed for attacking financial payments can steal users’ personal information including account,password and verification code in the proceedings of remote payment and near field communication.Security issues have already seriously impeded the further development of the mobile payment market.To solve the above problems,discusses the security issues in mobile terminals,payments,network and interactive logic of banking business from financial institutions’ perspective was discussed systematically.In addition,current status of relevant security key technologies are summarized from academic research community and industry fields.Finally,based on related research achievements,the design of system architecture and suggestions for mobile payment security are proposed,which can guide the future development of commercial bank.

Zhengyi Ao,Xiaoming Guo,Meiting Huang,Yan Luo,Zhaoxiong Shi,Jing Wu,Yingwen Cheng

DOI: https://doi.org/10.23977/accaf.2023.040301

Abstract:: The Internet science and technology and e-commerce have spawned the rise of third-party payment. While bringing convenience to the public, due to the lack of regulatory norms and their own problems, the third-party payment platform has become a tool for criminals to launder money. This paper focuses on the current situation of WeChat self-money laundering, explores the self-money laundering risks caused by the regulatory environment and WeChat platform's own problems

Computer Science,Law,Business

Jia Shi,Yu Jiang

2015-01-01

Abstract:In recent years, the third-party payment has become an integral part of e-commerce in China. When bringing us a safe, effective, convenient and cheap means for payment, it has also exposed risks. It is essential to have a clear understanding of third-party payment and to distinct the potential risks. We give a description about the definition and the operation process, and then based on previous study, we analyze the potential risk in four aspects: market risk, technical and operational risk, legal risk and credit risk. We suggest that third-party payment platform should focus on innovation, cooperation, routine check and maintenance, and trustworthy credit rating mechanism is a must.

Zhou Yu,Chai Hongfeng,He Shuo,Liao Jian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.10.080

2012-01-01

Abstract:In this paper the status quo of the development of mobile payment business and the importance of security compliance detection of mobile payment system are introduced.Corresponding security standards on the requirements to information system security compliance detection are studied.The emphasis of the paper is to describe the compliance detection and analysis methods from three aspects: the system logs-based,the network communication information-based and the system configuration-based.According to these,a security compliance analysis and automatic detection model for mobile payment system is designed,which improves the accuracy and compliance of the detection outcomes,and this helps the sustained secure operation of the mobile payment system.

Weixian Yao,Yexuan Li,Weiye Lin,Tianhui Hu,Imran Chowdhury,Rahat Masood,Suranga Seneviratne

DOI: https://doi.org/10.48550/arXiv.2007.03905

2020-07-08

Abstract:Third-party security apps are an integral part of the Android app ecosystem. Many users install them as an extra layer of protection for their devices. There are hundreds of such security apps, both free and paid in Google Play Store and some of them are downloaded millions of times. By installing security apps, the smartphone users place a significant amount of trust towards the security companies who developed these apps, because a fully functional mobile security app requires access to many smartphone resources such as the storage, text messages and email, browser history, and information about other installed applications. Often these resources contain highly sensitive personal information. As such, it is essential to understand the mobile security apps ecosystem to assess whether is it indeed beneficial to install them. To this end, in this paper, we present the first empirical study of Android security apps. We analyse 100 Android security apps from multiple aspects such as metadata, static analysis, and dynamic analysis and presents insights to their operations and behaviours. Our results show that 20% of the security apps we studied potentially resell the data they collect from smartphones to third parties; in some cases, even without the user consent. Also, our experiments show that around 50% of the security apps fail to identify malware installed on a smartphone.

Cryptography and Security

Sen Chen,Ting Su,Lingling Fan,Guozhu Meng,Minhui Xue,Yang Liu,Lihua Xu

DOI: https://doi.org/10.1145/3236024.3275523

2018-01-01

Abstract:Mobile banking apps, as one of the most contemporary FinTechs, have been widely adopted by banking entities to provide instant financial services. However, our recent work discovered thousands of vulnerabilities in 693 banking apps, which indicates these apps are not as secure as we expected. This motivates us to conduct this study for understanding the current security status of them. First, we take 6 months to track the reporting and patching procedure of these vulnerabilities. Second, we audit 4 state-of the-art vulnerability detection tools on those patched vulnerabilities. Third, we discuss with 7 banking entities via in-person or online meetings and conduct an online survey to gain more feedback from financial app developers. Through this study, we reveal that (1) people may have inconsistent understandings of the vulnerabilities and different criteria for rating severity; (2) state-of-the-art tools are not effective in detecting vulnerabilities that the banking entities most concern; and (3) more efforts should be endeavored in different aspects to secure banking apps. We believe our study can help bridge the existing gaps, and further motivate different parties, including banking entities, researchers and policy makers, to better tackle security issues altogether.

Geng Hong,Zhemin Yang,Sen Yang,Xiaojing Liao,Xiaolin Du,Min Yang,Haixin Duan

DOI: https://doi.org/10.1109/sp46214.2022.9833665

2022-01-01

Abstract:With the growth of mobile computing techniques, mobile gambling scams have seen a rampant increase in the recent past. In mobile gambling scams, miscreants deliver scamming messages via mobile instant messaging, host scam gambling platforms on mobile apps, and adopt mobile payment channels. To date, there is little quantitative knowledge about how this trending cybercrime operates, despite causing daily fraud losses estimated at more than ${\$}$522,262 USD. This paper presents the first empirical study based on ground-truth data of mobile gambling scams, associated with 1,461 scam incident reports and 1,487 gambling scam apps, spanning from January 1, 2020 to December 31, 2020. The qualitative and quantitative analysis of this ground-truth data allows us to characterize the operational pipeline and full fraud kill chain of mobile gambling scams. In particular, we study the social engineering tricks used by scammers and reveal their effectiveness. Our work provides a systematic analysis of 1,068 confirmed Android and 419 iOS scam apps, including their development frameworks, declared permissions, compatibility, and backend network infrastructure. Perhaps surprisingly, our study unveils that public online app generators have been abused to develop gambling scam apps. Our analysis reveals several payment channels (ab)used by gambling scam app and uncovers a new type of money mule-based payment channel with the average daily gambling deposit of ${\$}$400,000 USD. Our findings enable a better understanding of the mobile gambling scam ecosystem, and suggest potential avenues to disrupt these scam activities.

Wei YANG,Xusheng XIAO,Dengfeng LI,Huoran LI,Xuanzhe LIU,Haoyu WANG,Yao GUO,Tao XIE

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.001

2016-01-01

Abstract:With the increasing popularity of mobile apps, security incidents of mobile apps frequently occur. Accurately identifying security threats among billions of mobile apps has become an important and difficult topic in information secu-rity. In the meantime, the increasing number of mobile apps leads to a massive amount of mobile security data, which ena-bles security analytics for mobile apps. In this article, we illustrate recent research achievements on mobile security ana-lytics from five different perspectives:User Interface (UI) analytics, identification of repackage apps, consistency check-ing between apps functionality and security behaviors, context-sensitive detection of malicious behaviors, and client app management/usage. We also discuss future directions on security analytics for mobile apps, along with challenges in these directions.

王隆娟,姚孝明,谭毓银

DOI: https://doi.org/10.3969/j.issn.1674-9456.2015.01.003

2015-01-01

Abstract:This paper analys and sum the security threat of mobile payment,and the mobile payment scheme is analyzed,In final y,the author puts forward solutions and suggestions of the problem of mobile payment security which provide reference for the business of mobile payment security.