Abstract
Recently, mobile apps increasingly integrate with payment services, enabling the user to pay orders with a third-party payment service provider, namely Cashier. During the payment process, both the app and Cashier rely on some credentials to secure the service. Despite the importance, many developers tend to overlook the protection of payment credentials and inadvertently expose them to the wild. Such leaks severely affect the security of end-users and the merchants associated with the apps, resulting in privacy violations and actual financial loss. In this paper, we study the payment credential leaks for four top-tiered Cashiers that serve over one billion users and tens of millions of merchants globally. Through studying practical mobile payment systems, we identify new leaking sources of payment credentials and find 4 types of exploits with severe consequences, which are caused by the credential leaks and additional implementation flaws. Besides, we design an automatic tool, PayKeyMiner, and use it to discover around 20,000 leaked payment credentials, affecting thousands of apps. We have reported our findings to the Cashiers. All of them have confirmed the issue and pledged to notify the affected merchant apps, while some of these apps have updated the leaked payment credentials afterward.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anzhi: Anzhi App Market (2021). http://www.anzhi.com
Apkpure: Apkpure App Market (2021). https://apkpure.com
Ayrey, D.: trufflehog (2021). https://github.com/dxa4481/truffleHog
Chen, T., Guestrin, C.: Xgboost: a scalable tree boosting system. In: ACM SIGKDD 2016 (2016)
Chen, Y., et al.: Devils in the guidance: predicting logic vulnerabilities in payment syndication services through automated documentation analysis. In: USENIX Security 2019 (2019)
Dong, S., et al.: Understanding android obfuscation techniques: a large-scale investigation in the wild. In: EAI SecureComm 2018 (2018)
eth0izzle: shhgit: find github secrets in real time (2021). https://github.com/eth0izzle/shhgit
GitHub: Github Search API (2021). https://developer.github.com/v3/search
Google: Google BigQuery (2021). https://cloud.google.com/bigquery
Kumar, R., Kishore, S., Lu, H., Prakash, A.: Security analysis of unified payments interface and payment apps in India. In: USENIX Security 2020 (2020)
Meli, M., McNiece, M.R., Reaves, B.: How bad can it git? characterizing secret leakage in public github repositories. In: NDSS 2019 (2019)
Mulliner, C., Robertson, W., Kirda, E.: Virtualswindle: an automated attack against in-app billing on android. In: ACM ASIACCS 2014 (2014)
Openwall: John the Ripper (2021). https://www.openwall.com/john
Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.: Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security 2015 (2015)
Rice, Z.: Gitleaks: Audit git repos for secrets (2021). https://github.com/zricethezav/gitleaks
Savvy, M.: Amazing stats demonstrating the unstoppable rise of mobile payments globally (2020). https://www.merchantsavvy.co.uk/mobile-payment-stats-trends
Shi, S., Wang, X., Lau, W.C.: MoSSOT: an automated blackbox tester for single sign-on vulnerabilities in mobile applications. In: ACM ASIACCS 2019 (2019)
Sun, F., Xu, L., Su, Z.: Detecting logic vulnerabilities in e-commerce applications. In: NDSS 2014 (2014)
Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play categories and subject descriptors. In: ACM SIGMETRICS 2014 (2014)
Wandoujia: Wandoujia App Market (2021). https://www.wandoujia.com
Wang, R., Chen, S., Wang, X.F., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: IEEE S&P 2011 (2011)
Wen, H., Li, J., Zhang, Y., Gu, D.: An empirical study of SDK credential misuse in iOS apps. In: APSEC 2018 (2018)
Wikipedia: Client Certificate (2021). https://en.wikipedia.org/wiki/client_certificate
Yang, R., Lau, W.C., Shi, S.: Breaking and fixing mobile app authentication with OAuth2.0-based protocols. In: ACNS 2017 (2017)
Yang, W., et al.: Show me the money! finding flawed implementations of third-party in-app payment in android apps. In: NDSS 2017 (2017)
Zhou, Y., Wu, L., Wang, Z., Jiang, X.: Harvesting developer credentials in android apps. In: ACM WiSec 2015 (2015)
Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? uncovering the data leakage in cloud from mobile apps. In: IEEE S&P 2018 (2018)
Acknowledgements
This research is supported in part by the CUHK Project Impact Enhancement Fund (Project# 3133292), the CUHK Direct Grant #4055155, and the CUHK MobiTeC R&D Fund.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shi, S., Wang, X., Zeng, K., Yang, R., Lau, W.C. (2021). An Empirical Study on Mobile Payment Credential Leaks and Their Exploits. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-90022-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90021-2
Online ISBN: 978-3-030-90022-9
eBook Packages: Computer ScienceComputer Science (R0)