Study of Security Weaknesses in Android Payment Service Provider SDKs
| Title | Study of Security Weaknesses in Android Payment Service Provider SDKs |
| Publication Type | Conference Paper |
| Year of Publication | 2022 |
| Authors | Samin Yaseer Mahmud, William Enck |
| Conference Name | Proceedings of the Symposium and Bootcamp on the Science of Security (HotSoS) Poster Session |
| Date Published | 04/2022 |
| Conference Location | Urbana-Champaign, USA |
| Keywords | 2022: April, android, mobile payment security, NCSU, Policy-Governed Secure Collaboration, program analysis, Reasoning about Accidental and Malicious Misuse via Formal Methods |
| Abstract | Payment Service Providers (PSP) enable application developers to effortlessly integrate complex payment processing code using software development toolkits (SDKs). While providing SDKs reduces the risk of application developers introducing payment vulnerabilities, vulnerabilities in the SDKs themselves can impact thousands of applications. In this work, we propose a static analysis tool for assessing PSP SDKs using OWASP's MASVS industry standard for mobile application security. A key challenge for the work was reapplying both the MASVS and program analysis tools designed to analyze whole applications to study only a specific SDK. Our preliminary findings show that a number of payment processing libraries fail to meet MASVS security requirements, with evidence of persisting sensitive data insecurely, using outdated cryptography, and improperly configuring TLS. As such, our investigation demonstrates the value of applying security analysis at SDK granularity to prevent widespread deployment of vulnerable code. |
| Citation Key | node-87150 |
| Refereed Designation | Refereed |