ABSTRACT
The ubiquity of smart phones and their prevalence among the underprivileged has enabled the delivery of financial services to previously unbanked through digital means. At the same time it has exposed the same people to security vulnerabilities of digital infrastructure. In this paper, we analyze 10 Android Digital Financial Services (DFS) applications using static analysis tools and present results to show that off-the-shelf static bug checking tools, can be useful in finding many critical security bugs in DFS applications. Our findings also show that DFS applications from developing countries have more vulnerabilities in application specific code compared with DFS applications from developed countries. However, we observe that general purpose static analysis tools have low specificity for DFS specific bugs, such as the vulnerabilities in the use of cryptography and networking, and there is a need to develop better bug detection tools.
- S. Matsumoto O. Ortlieb J. Alexander J. Betser L. Florer G. Kuenning J. Nilles A. Cozzette, K. Lingel and P. Reiher. 2013. Improving the Security of Android Inter-Component Communication. In IFIP/IEEE International Symposium on Integrated Network Management.Google Scholar
- ADB backup 2013. Stealing application data using ADB backup. (2013). http://www.securityfocus.com/archive/1/530288/30/0/threadedGoogle Scholar
- addJavascriptInterface 2017. addJavascriptInterface method. (2017). https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614Google Scholar
- Keith Anderson. 2016. Mass-Market Consumer Fraud: Who is Most Susceptible to Becoming a Victim? (2016).Google Scholar
- Androbugs 2015. Androbugs Framework Project. (2015). https://github.com/AndroBugs/AndroBugs_FrameworkGoogle Scholar
- androidSecurity 2016. Android best security practises. (2016). https://developer.android.com/training/best-security.htmlGoogle Scholar
- Sam Castle, Fahad Pervaiz, Galen Weld, Franziska Roesner, and Richard Anderson. 2016. Let's Talk Money: Evaluating the Security Challenges of Mobile Money in the Developing World (ACM DEV '16). Google ScholarDigital Library
- cert 2015. CERT secure android coding standards. (2015). https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+StandardGoogle Scholar
- Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing Inter-Application Communication in Android. In 9th international conference on Mobile systems, applications, and services (MobiSys 11). Google ScholarDigital Library
- Cryptography algorithms 2016. Cryptography algorithms in Android. (2016). https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#CipherGoogle Scholar
- Cryptography tips 2016. Android cryptography security tips. (2016). https://developer.android.com/training/articles/security-tips.html#CryptoGoogle Scholar
- cve 2017. Security vulnerability data source. (2017). http://www.cvedetails.com/Google Scholar
- H. Xiao C. Stransky Y. Acar M. Backes F. Fischer, K. BÃűttinger and S. Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In IEEE Symposium on Security and Privacy (SP).Google Scholar
- IPC tips 2016. Android cryptography security tips. (2016). https://developer.android.com/training/articles/security-tips.html#IPCGoogle Scholar
- javadecompilers 2017. Android app decompiler. (2017). http://www.javadecompilers.com/apkGoogle Scholar
- Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In 27th Annual Computer Security Applications Conference (ACSAC 11). Google ScholarDigital Library
- MarketShare 2017. Global Mobile/Tablet Operating System Market Share. (2017). https://www.netmarketshare.comGoogle Scholar
- MobSF 2017. Mobile Security Framework(MobSF) Project. (2017). https://github.com/MobSF/Mobile-Security-Framework-MobSFGoogle Scholar
- Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA. Google ScholarDigital Library
- owasp 2016. OWASP top 10 mobile vulnerabilities. (2016). https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10Google Scholar
- QARK 2017. Quick Android Review Kit Project(QARK). (2017). https://github.com/linkedin/qarkGoogle Scholar
- Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler. 2015. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In 24th USENIX Security Symposium (USENIX Security 15). Google ScholarDigital Library
- SamePolicy 2014. Same Origin Policy Flaws. (2014). http://securityaffairs.co/wordpress/28381/hacking/android-flaw-same-origin-policy.htmlGoogle Scholar
- SSL/TLS Implementation 2015. SSL/TLS Implementation practises. (2015). https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=134807561Google Scholar
- veracode 2017. Veracode mobile top 10 list. (2017). https://www.veracode.com/directory/mobileapp-top-10Google Scholar
- WebViewFileAcess 2016. Android cryptography security tips. (2016). https://www.securecoding.cert.org/confluence/display/android/DRD02-J.+Do+not+allow+WebView+to+access+sensitive+local+resource+through+file+schemeGoogle Scholar
Index Terms
A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries
Recommendations
DEKANT: a static analysis tool that learns to detect web application vulnerabilities
ISSTA 2016: Proceedings of the 25th International Symposium on Software Testing and AnalysisThe state of web security remains troubling as web applications continue to be favorite targets of hackers. Static analysis tools are important mechanisms for programmers to deal with this problem as they search for vulnerabilities automatically in the ...
ICT, Local Governance and Branchless Banking: Triangular Efforts to Make Social Cash Transfer Easy and Transparent
ICEGOV '17: Proceedings of the 10th International Conference on Theory and Practice of Electronic GovernanceThe proper use of Information and Communication Technology (ICT) has made human daily activities easy and fast. The service delivery of local government has been fast, efficient and reliable. The government provides social protection to its citizens so ...
Two threat patterns that exploit "security misconfiguration" and "sensitive data exposure" vulnerabilities
EuroPLoP '15: Proceedings of the 20th European Conference on Pattern Languages of ProgramsWe present threat patterns that describe attacks against applications that take advantage of security misconfigurations in the application stack and applications that expose sensitive data. These patterns provide insight on how to build and configure ...
Comments