Advertisement

Analysing Data Security Requirements of Android Mobile Banking Application

  • Shikhar Bhatnagar
  • Yasir MalikEmail author
  • Sergey Butakov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11317)

Abstract

Mobile banking applications are at high risk of cyber attacks due to security vulnerabilities in their application design and underlying operating systems. The Inter-Process Communication mechanism in Android enables applications to communicate, share data and reuse functionality between them. However, if used incorrectly, it can become an attack surface, which allows malicious applications to exploit devices and compromise sensitive financial information. In this research, we focused on addressing the intent vulnerabilities by applying a hybrid fuzzing testing technique to analyze the data security requirements of native Android financial applications. The system first automatically constructs an application behavior model and later apply hybrid fuzzing to the model to analyze the data leak vulnerabilities. Testing results help to discover the unknown exploitable entry points in the applications under test.

Keywords

Android Intent Fuzzing Security testing Data leaks 

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Bojjagani, S., Sastry, V.N.: STAMBA: security testing for android mobile banking apps. In: Thampi, S., Bandyopadhyay, S., Krishnan, S., Li, K.C., Mosin, S., Ma, M. (eds.) Advances in Signal Processing and Intelligent Recognition Systems. AISC, vol. 425, pp. 671–683. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-28658-7_57CrossRefGoogle Scholar
  5. 5.
    Kaka, S., Sastry, V., Maiti, R.R.: On the MitM vulnerability in mobile banking applications for android devices. In: 2016 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2016)Google Scholar
  6. 6.
    Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)Google Scholar
  7. 7.
    Kouraogo, Y., Zkik, K., Orhanou, G., et al.: Attacks on android banking applications. In: International Conference on Engineering & MIS (ICEMIS), pp. 1–6. IEEE (2016)Google Scholar
  8. 8.
    Li, L., et al.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International Conference on Software Engineering-Volume 1, pp. 280–291. IEEE Press (2015)Google Scholar
  9. 9.
    Ludwig, A., Mille, M.: Diverse protections for a diverse ecosystem: Android security 2016 year in review. Google Security Blog. Google. Accessed 22 March 2017Google Scholar
  10. 10.
    Mueller, B., et al.: About the standard. Foreword by Bernhard Mueller, OWASP Mobile Project 5 Frontispiece 7 About The Standard 7 Copyright And License 7 Acknowledgements 7 (2017)Google Scholar
  11. 11.
    Panja, B., Fattaleh, D., Mercado, M., Robinson, A., Meharia, P.: Cybersecurity in banking and financial sector: security analysis of a mobile banking application. In: 2013 International Conference on Collaboration Technologies and Systems (CTS), pp. 397–403. IEEE (2013)Google Scholar
  12. 12.
    Sasnauskas, R., Regehr, J.: Intent fuzzer: crafting intents of death. In: Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pp. 1–5. ACM (2014)Google Scholar
  13. 13.
    Shezan, F.H., Afroze, S.F., Iqbal, A.: Vulnerability detection in recent android apps: an empirical study. In: 2017 International Conference on Networking, Systems and Security (NSysS), pp. 55–63. IEEE (2017)Google Scholar
  14. 14.
    Wang, J., Chen, B., Wei, L., Liu, Y.: Skyfire: data-driven seed generation for fuzzing. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 579–594. IEEE (2017)Google Scholar
  15. 15.
    Wang, Y., Zhuge, J., Sun, D., Liu, W., Li, F.: Activityfuzzer: detecting the security vulnerabilities of android activity componentsGoogle Scholar
  16. 16.
    Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Priv. Secur. (TOPS) 21(3), 14 (2018)Google Scholar
  17. 17.
    Wu, T., Yang, Y.: Crafting intents to detect ICC vulnerabilities of android apps. In: 2016 12th International Conference on Computational Intelligence and Security (CIS), pp. 557–560. IEEE (2016)Google Scholar
  18. 18.
    Yang, K., Zhuge, J., Wang, Y., Zhou, L., Duan, H.: Intentfuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 531–536. ACM (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Shikhar Bhatnagar
    • 1
  • Yasir Malik
    • 1
    Email author
  • Sergey Butakov
    • 1
  1. 1.Department of Information Systems Security ManagementConcordia University of EdmontonEdmontonCanada

Personalised recommendations