Abstract
Mobile banking applications are at high risk of cyber attacks due to security vulnerabilities in their application design and underlying operating systems. The Inter-Process Communication mechanism in Android enables applications to communicate, share data and reuse functionality between them. However, if used incorrectly, it can become an attack surface, which allows malicious applications to exploit devices and compromise sensitive financial information. In this research, we focused on addressing the intent vulnerabilities by applying a hybrid fuzzing testing technique to analyze the data security requirements of native Android financial applications. The system first automatically constructs an application behavior model and later apply hybrid fuzzing to the model to analyze the data leak vulnerabilities. Testing results help to discover the unknown exploitable entry points in the applications under test.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Drozer module fuzzinozer. https://github.com/mwrlabs/drozer-modules/blob/master/intents/fuzzinozer.py
Mobile banking applications security challenges for banks. https://www.accenture.com/t20170421T060949__w__/us-en/_acnmedia/PDF-49/Accenture-Mobile-Banking-Apps-Security-Challenges-Banks.pdf. Accessed October 2017
MWR infosecurity drozer tool. https://labs.mwrinfosecurity.com/tools/drozer/
Bojjagani, S., Sastry, V.N.: STAMBA: security testing for android mobile banking apps. In: Thampi, S., Bandyopadhyay, S., Krishnan, S., Li, K.C., Mosin, S., Ma, M. (eds.) Advances in Signal Processing and Intelligent Recognition Systems. AISC, vol. 425, pp. 671–683. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-28658-7_57
Kaka, S., Sastry, V., Maiti, R.R.: On the MitM vulnerability in mobile banking applications for android devices. In: 2016 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2016)
Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)
Kouraogo, Y., Zkik, K., Orhanou, G., et al.: Attacks on android banking applications. In: International Conference on Engineering & MIS (ICEMIS), pp. 1–6. IEEE (2016)
Li, L., et al.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International Conference on Software Engineering-Volume 1, pp. 280–291. IEEE Press (2015)
Ludwig, A., Mille, M.: Diverse protections for a diverse ecosystem: Android security 2016 year in review. Google Security Blog. Google. Accessed 22 March 2017
Mueller, B., et al.: About the standard. Foreword by Bernhard Mueller, OWASP Mobile Project 5 Frontispiece 7 About The Standard 7 Copyright And License 7 Acknowledgements 7 (2017)
Panja, B., Fattaleh, D., Mercado, M., Robinson, A., Meharia, P.: Cybersecurity in banking and financial sector: security analysis of a mobile banking application. In: 2013 International Conference on Collaboration Technologies and Systems (CTS), pp. 397–403. IEEE (2013)
Sasnauskas, R., Regehr, J.: Intent fuzzer: crafting intents of death. In: Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pp. 1–5. ACM (2014)
Shezan, F.H., Afroze, S.F., Iqbal, A.: Vulnerability detection in recent android apps: an empirical study. In: 2017 International Conference on Networking, Systems and Security (NSysS), pp. 55–63. IEEE (2017)
Wang, J., Chen, B., Wei, L., Liu, Y.: Skyfire: data-driven seed generation for fuzzing. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 579–594. IEEE (2017)
Wang, Y., Zhuge, J., Sun, D., Liu, W., Li, F.: Activityfuzzer: detecting the security vulnerabilities of android activity components
Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Priv. Secur. (TOPS) 21(3), 14 (2018)
Wu, T., Yang, Y.: Crafting intents to detect ICC vulnerabilities of android apps. In: 2016 12th International Conference on Computational Intelligence and Security (CIS), pp. 557–560. IEEE (2016)
Yang, K., Zhuge, J., Wang, Y., Zhou, L., Duan, H.: Intentfuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 531–536. ACM (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Bhatnagar, S., Malik, Y., Butakov, S. (2018). Analysing Data Security Requirements of Android Mobile Banking Application. In: Traore, I., Woungang, I., Ahmed, S., Malik, Y. (eds) Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments. ISDDC 2018. Lecture Notes in Computer Science(), vol 11317. Springer, Cham. https://doi.org/10.1007/978-3-030-03712-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-03712-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03711-6
Online ISBN: 978-3-030-03712-3
eBook Packages: Computer ScienceComputer Science (R0)