skip to main content
10.1145/3136560.3136595acmotherconferencesArticle/Chapter ViewAbstractPublication PagesictdConference Proceedingsconference-collections
short-paper

A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries

Published:16 November 2017Publication History

ABSTRACT

The ubiquity of smart phones and their prevalence among the underprivileged has enabled the delivery of financial services to previously unbanked through digital means. At the same time it has exposed the same people to security vulnerabilities of digital infrastructure. In this paper, we analyze 10 Android Digital Financial Services (DFS) applications using static analysis tools and present results to show that off-the-shelf static bug checking tools, can be useful in finding many critical security bugs in DFS applications. Our findings also show that DFS applications from developing countries have more vulnerabilities in application specific code compared with DFS applications from developed countries. However, we observe that general purpose static analysis tools have low specificity for DFS specific bugs, such as the vulnerabilities in the use of cryptography and networking, and there is a need to develop better bug detection tools.

References

  1. S. Matsumoto O. Ortlieb J. Alexander J. Betser L. Florer G. Kuenning J. Nilles A. Cozzette, K. Lingel and P. Reiher. 2013. Improving the Security of Android Inter-Component Communication. In IFIP/IEEE International Symposium on Integrated Network Management.Google ScholarGoogle Scholar
  2. ADB backup 2013. Stealing application data using ADB backup. (2013). http://www.securityfocus.com/archive/1/530288/30/0/threadedGoogle ScholarGoogle Scholar
  3. addJavascriptInterface 2017. addJavascriptInterface method. (2017). https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614Google ScholarGoogle Scholar
  4. Keith Anderson. 2016. Mass-Market Consumer Fraud: Who is Most Susceptible to Becoming a Victim? (2016).Google ScholarGoogle Scholar
  5. Androbugs 2015. Androbugs Framework Project. (2015). https://github.com/AndroBugs/AndroBugs_FrameworkGoogle ScholarGoogle Scholar
  6. androidSecurity 2016. Android best security practises. (2016). https://developer.android.com/training/best-security.htmlGoogle ScholarGoogle Scholar
  7. Sam Castle, Fahad Pervaiz, Galen Weld, Franziska Roesner, and Richard Anderson. 2016. Let's Talk Money: Evaluating the Security Challenges of Mobile Money in the Developing World (ACM DEV '16). Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. cert 2015. CERT secure android coding standards. (2015). https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+StandardGoogle ScholarGoogle Scholar
  9. Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing Inter-Application Communication in Android. In 9th international conference on Mobile systems, applications, and services (MobiSys 11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Cryptography algorithms 2016. Cryptography algorithms in Android. (2016). https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#CipherGoogle ScholarGoogle Scholar
  11. Cryptography tips 2016. Android cryptography security tips. (2016). https://developer.android.com/training/articles/security-tips.html#CryptoGoogle ScholarGoogle Scholar
  12. cve 2017. Security vulnerability data source. (2017). http://www.cvedetails.com/Google ScholarGoogle Scholar
  13. H. Xiao C. Stransky Y. Acar M. Backes F. Fischer, K. BÃűttinger and S. Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In IEEE Symposium on Security and Privacy (SP).Google ScholarGoogle Scholar
  14. IPC tips 2016. Android cryptography security tips. (2016). https://developer.android.com/training/articles/security-tips.html#IPCGoogle ScholarGoogle Scholar
  15. javadecompilers 2017. Android app decompiler. (2017). http://www.javadecompilers.com/apkGoogle ScholarGoogle Scholar
  16. Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In 27th Annual Computer Security Applications Conference (ACSAC 11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. MarketShare 2017. Global Mobile/Tablet Operating System Market Share. (2017). https://www.netmarketshare.comGoogle ScholarGoogle Scholar
  18. MobSF 2017. Mobile Security Framework(MobSF) Project. (2017). https://github.com/MobSF/Mobile-Security-Framework-MobSFGoogle ScholarGoogle Scholar
  19. Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. owasp 2016. OWASP top 10 mobile vulnerabilities. (2016). https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10Google ScholarGoogle Scholar
  21. QARK 2017. Quick Android Review Kit Project(QARK). (2017). https://github.com/linkedin/qarkGoogle ScholarGoogle Scholar
  22. Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler. 2015. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In 24th USENIX Security Symposium (USENIX Security 15). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. SamePolicy 2014. Same Origin Policy Flaws. (2014). http://securityaffairs.co/wordpress/28381/hacking/android-flaw-same-origin-policy.htmlGoogle ScholarGoogle Scholar
  24. SSL/TLS Implementation 2015. SSL/TLS Implementation practises. (2015). https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=134807561Google ScholarGoogle Scholar
  25. veracode 2017. Veracode mobile top 10 list. (2017). https://www.veracode.com/directory/mobileapp-top-10Google ScholarGoogle Scholar
  26. WebViewFileAcess 2016. Android cryptography security tips. (2016). https://www.securecoding.cert.org/confluence/display/android/DRD02-J.+Do+not+allow+WebView+to+access+sensitive+local+resource+through+file+schemeGoogle ScholarGoogle Scholar

Index Terms

  1. A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Other conferences
        ICTD '17: Proceedings of the Ninth International Conference on Information and Communication Technologies and Development
        November 2017
        333 pages
        ISBN:9781450352772
        DOI:10.1145/3136560
        • Conference Chair:
        • Umar Saif

        Copyright © 2017 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 16 November 2017

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • short-paper
        • Research
        • Refereed limited

        Acceptance Rates

        Overall Acceptance Rate22of116submissions,19%

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader