BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//project/author//NONSGML v1.0//EN
CALSCALE:GREGORIAN
BEGIN:VEVENT
DTEND:20220401T120000Z
UID:5b5f08cab5a70420f368d04271272077-261
DTSTAMP:19700101T120010Z
DESCRIPTION:An Evaluation of Basic Protection Mechanisms in Financial Apps on Mobile Devices
URL;VALUE=URI:https://www.csa.iisc.ac.in/newweb/event/261/an-evaluation-of-basic-protection-mechanisms-in-financial-apps-on-mobile-devices/
SUMMARY:Mobile devices have become an integral part of the payment ecosystem. Payments are facilitated by financial applications (like Mobile Banking, UPI Apps, etc.), which have in turn soared in popularity. With the increasing dependence on the financial app ecosystem and the sensitive nature of the data handled by financial apps (including the bank/card details of the payees and the payers), we set out to study fundamental question: do the app developers of financial apps put various self-defense checks to make their apps more secure? If yes, how trivial is it for the attackers to bypass such checks?
<br>
This thesis concerns the robustness of security checks in financial mobile applications. The best practices recommended by the Open Web Application Security Project (OWASP) for developing such apps, demand that developers include several checks in these apps, such as detection of running on a rooted device, certificate checks, and so on. Ideally, these checks must be introduced in a sophisticated way and must not be locatable through trivial static analysis, so that attackers cannot bypass them trivially. In this work, we conduct a large-scale study focused on financial apps on the Android platform and determine the robustness of these checks.
<br>
Our study shows that a significant fraction of the financial apps dont have the various self-defense checks recommended by the OWASP. Then we showed that among the apps with at least one security check, > 50% of such apps at least one check could be trivially bypassed. Some of such financial apps have installation counts exceeding 100 million from Google Play. This entire process of detecting the self-defense check and bypassing it is automated. We believe that the results of our study can guide developers of these apps in inserting security checks in a more robust fashion.
DTSTART:20220401T120000Z
END:VEVENT
END:VCALENDAR