Skip to main content
SpringerLink
Log in

Breaking and Fixing Third-Party Payment Service for Mobile Apps

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12727))

Included in the following conference series:

Abstract

Riding on the widespread user adoption of mobile payment, a growing number of mobile apps have integrated the service from third-party payment service providers or so-called Cashiers. Despite its prevalence and critical nature, no existing standard can guide the secure deployment of mobile payment. Thus, the protocol designs and implementations from different Cashiers are diverse. Given the complicated multi-party interactions in mobile payment, either the Cashiers or the apps may not fully consider various threat models, which enlarges the attack surface and causes the exploits with severe consequences, ranging from financial loss to privacy violations. In this paper, we perform an in-depth security analysis of real-world third-party payment services for mobile apps. Specifically, we examine the mobile payment systems from five top-tier Cashiers that serve over one billion users globally. Leveraging insecure protocol designs and practical implementation flaws, e.g., vulnerable backend SDKs for mobile apps, we have discovered six types of exploits. These exploits enable the attacker to violate user privacy and shop for free in the victim apps, affecting millions of users. Finally, we propose the fixings to defend against these exploits. We have shared our findings with the affected Cashiers and got their positive responses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For the rest of the paper, we use mobile payment to denote the third-party payment services for mobile apps, if not specified otherwise.

References

  1. Apkpure: Apkpure (2019). https://apkpure.com/

  2. Chen, S., et al.: An empirical assessment of security risks of global android banking apps. In: ICSE 2020 (2020)

    Google Scholar 

  3. Chen, Y., et al.: Devils in the guidance: predicting logic vulnerabilities in payment syndication services through automated documentation analysis. In: USENIX 2019 (2019)

    Google Scholar 

  4. Fortune Business Insights: Mobile payment market size, share & industry analysis (2020). https://www.fortunebusinessinsights.com/industry-reports/mobile-payment-market-100336

  5. Hardt, D.: The OAuth 2.0 authorization framework (2012)

    Google Scholar 

  6. Haupert, V., Maier, D., Müller, T.: Paying the price for disruption: how a fintech allowed account takeover. In: ROOTS 2017 (2017)

    Google Scholar 

  7. Jones, M., et al.: JSON web token (JWT) (2012)

    Google Scholar 

  8. Kadhiwal, S., Zulfiquar, A.U.S.: Analysis of mobile payment security measures and different standards. Comput. Fraud Secur. 2007(6), 12–16 (2007)

    Article  Google Scholar 

  9. Kaur, R., Li, Y., Iqbal, J., Gonzalez, H., Stakhanova, N.: A security assessment of HCE-NFC enabled e-wallet banking android apps. In: COMPSAC 2018, vol. 02 (2018)

    Google Scholar 

  10. Kumar, R., Kishore, S., Lu, H., Prakash, A.: Security analysis of unified payments interface and payment apps in India. In: USENIX Security 2020 (2020)

    Google Scholar 

  11. Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 1–29 (2014)

    Article  Google Scholar 

  12. Liu, W., Wang, X., Peng, W.: State of the art: secure mobile payment. IEEE Access 8, 13898–13914 (2020)

    Article  Google Scholar 

  13. Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)

    Google Scholar 

  14. MITRE: CVE-2018-13439 (2018). https://www.cvedetails.com/cve/CVE-2018-13439/

  15. Mulliner, C., Robertson, W., Kirda, E.: VirtualSwindle: an automated attack against in-app billing on android. In: ASIA CCS 2014 (2014)

    Google Scholar 

  16. PHP: API document of hash function in PHP (2020). https://www.php.net/manual/en/function.hash.php

  17. Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.: Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security 2015 (2015)

    Google Scholar 

  18. Reynaud, D., Song, D., Magrino, T.R., Wu, E., Shin, E.C.: FreeMarket: shopping for free in android applications. In: NDSS 2012 (2012)

    Google Scholar 

  19. Sun, F., Xu, L., Su, Z.: Detecting logic vulnerabilities in e-commerce applications. In: NDSS 2014 (2014)

    Google Scholar 

  20. Tumbleson, C.: Apktool (2020). https://ibotpeaches.github.io/Apktool/

  21. Wang, R., Chen, S., Wang, X.F., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: S&P 2011 (2011)

    Google Scholar 

  22. Wang, Y., Hahn, C., Sutrave, K.: Mobile payment security, threats, and challenges. In: MobiSecServ 2016 (2016)

    Google Scholar 

  23. Wikipedia: Client Certificate (2020). https://en.wikipedia.org/wiki/Client_certificate

  24. Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: toward automatic protection of third-party web service integrations. In: NDSS 2013 (2013)

    Google Scholar 

  25. Yang, W., et al.: Show me the money! finding flawed implementations of third-party in-app payment in android apps. In: NDSS 2017 (2017)

    Google Scholar 

  26. Ye, Q., Bai, G., Dong, N., Dong, J.S.: Inferring implicit assumptions and correct usage of mobile payment protocols. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds.) SecureComm 2017. LNICST, vol. 238, pp. 469–488. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78813-5_24

    Chapter  Google Scholar 

Download references

Acknowledgements

This research is supported in part by the CUHK Project Impact Enhancement Fund (Project# 3133292), the CUHK Direct Grant #4055155, and the CUHK MobiTeC R&D Fund.

Author information

Authors and Affiliations

  1. The Chinese University of Hong Kong, Hong Kong, China

    Shangcheng Shi, Xianbo Wang & Wing Cheong Lau

Authors
  1. Shangcheng Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xianbo Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wing Cheong Lau
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wing Cheong Lau .

Editor information

Editors and Affiliations

  1. Waseda University, Tokyo, Japan

    Kazue Sako

  2. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Nils Ole Tippenhauer

Appendices

A More Details on Order Replacement

Figure 7 shows a snippet of the log during the verification process within Cashier2’s Android app, which consists of two steps:

  1. 1.

    getAppInfo: the CA extracts the app identifier, i.e., retailer, from the received payment order and requests for the related app information from its backend server.

  2. 2.

    verifyAppInfo: the CA compares the package name and signature of the MA against the received app information.

Notably, getAppInfo will only occur for once because the CA will locally store the mapping between retailer and the related app information. Nevertheless, we find that the CA in Cashier2 suffers a software bug in getAppInfo. Consequently, this bug will enable the repackaged MA to bypass the checking from the Cashier in the first payment attempt, even if it does not have a benign signature.

Remark: This exploit can be persistent once the repackaged MA injects the order from a new Merchant, with an unknown retailer , in each payment. We have done the Proof-of-Concept (PoC) experiment, reported the issue to Cashier2 , and got its confirmation.

Fig. 7.
figure 7

Running log from Cashier2’s app

Full size image

B More Details on Cross-merchant Notification Forgery

Figure 8 details the Cross-Merchant Notification Forgery mentioned in Sect. 5.3, which works as follows.

Fig. 8.
figure 8

Cross-merchant notification forgery

Full size image
1–4:

The attacker purchases products in the victim Merchant, namely, MA, until Step 4. Then, the attacker suspends the payment session and identifies necessary information, namely order\(\_\)num, trade\(\_\)amount, and backURL, from the payment order.

5.:

Using the payment credentials from another app, i.e., MS’, the attacker forges a payment request with the same order\(\_\)num and trade\(\_\)amount. Besides, the backURL is set to the host controlled by the attacker.

6.:

After paying for the forged order in MS’, the attacker receives the signed payment notifications from the Cashier, which contain the app identifier of the MS’, order\(\_\)num, and trade\(\_\)amount.

7.:

The attacker refunds the order to get the money back.

8.:

The attacker resumes the payment session in the MA and injects the forged synchronous notification (from Step 6) into the CA. Meanwhile, he sends the asynchronous one to the MS according to the backURL in Step 4.

9.:

The CA propagates the forged notification to the MA.

10.:

The MA sends the forged notification back to the MS and queries the payment status of the related order.

Finally, the victim Merchant verifies the digital signatures in the forged notifications and extracts the order\(\_\)num and trade\(\_\)amount. Then, it compares their values with the local record (generated before Step 3) and passes the checking due to the setting in Step 5. Nonetheless, the MS overlooks the app identifier, i.e., retailer, inside the received payment notifications, trusts the settlement of order payment, and delivers the products to the attacker.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shi, S., Wang, X., Lau, W.C. (2021). Breaking and Fixing Third-Party Payment Service for Mobile Apps. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12727. Springer, Cham. https://doi.org/10.1007/978-3-030-78375-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78375-4_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78374-7

  • Online ISBN: 978-3-030-78375-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation