View all Seminars  |  Download ICal for this event

An Evaluation of Basic Protection Mechanisms in Financial Apps on Mobile Devices

Series: M.Tech (Research) Thesis Defense

Speaker: Nikhil Agrawal, M.Tech (Research) student, Dept. of CSA IISc

Date/Time: Sep 29 14:00:00

Location: CSA Seminar Hall (Room No. 254, First Floor)

Faculty Advisor: Prof. Vinod Ganapathy, The student was also c

Mobile devices have become an integral part of the payment ecosystem. Payments are facilitated by financial applications (like Mobile Banking, UPI Apps, etc.), which have in turn soared in popularity. With the increasing dependence on the financial app ecosystem and the sensitive nature of the data handled by financial apps (including the bank/card details of the payees and the payers), we set out to study fundamental question: do the app developers of financial apps put various self-defense checks to make their apps more secure? If yes, how trivial is it for the attackers to bypass such checks? This thesis concerns the robustness of security checks in financial mobile applications. The best practices recommended by the Open Web Application Security Project (OWASP) for developing such apps, demand that developers include several checks in these apps, such as detection of running on a rooted device, certificate checks, and so on. Ideally, these checks must be introduced in a sophisticated way and must not be locatable through trivial static analysis, so that attackers cannot bypass them trivially. In this work, we conduct a large-scale study focused on financial apps on the Android platform and determine the robustness of these checks. Our study shows that a significant fraction of the financial apps dont have the various self-defense checks recommended by the OWASP. Then we showed that among the apps with at least one security check, > 50% of such apps at least one check could be trivially bypassed. Some of such financial apps have installation counts exceeding 100 million from Google Play. This entire process of detecting the self-defense check and bypassing it is automated. We believe that the results of our study can guide developers of these apps in inserting security checks in a more robust fashion.

Speaker Bio:
Nikhil Agrawal is an M.Tech (Research) student at the CSA department. He is a member of the Computer Architecture System Lab (CASL) and Computer System Security Lab (CSSL). During his research journey, he analyzed many financial apps in-depth on the Android platform. Before joining IISc in August 2019, he completed engineering from R.V. College of Engineering (RVCE), Bengaluru, in 2018. Currently, he is a Software Engineer at Cradlewise.

Host Faculty: