An Empirical Assessment of Security Risks of Global Android Banking Apps
International Conference on Software Engineering(2018)
摘要
Mobile banking apps, belonging to the most security-critical app category,
render massive and dynamic transactions susceptible to security risks. Given
huge potential financial loss caused by vulnerabilities, existing research
lacks a comprehensive empirical study on the security risks of global banking
apps to provide useful insights and improve the security of banking apps.
Since data-related weaknesses in banking apps are critical and may directly
cause serious financial loss, this paper first revisits the state-of-the-art
available tools and finds that they have limited capability in identifying
data-related security weaknesses of banking apps. To complement the capability
of existing tools in data-related weakness detection, we propose a three-phase
automated security risk assessment system, named AUSERA, which leverages static
program analysis techniques and sensitive keyword identification. By leveraging
AUSERA, we collect 2,157 weaknesses in 693 real-world banking apps across 83
countries, which we use as a basis to conduct a comprehensive empirical study
from different aspects, such as global distribution and weakness evolution
during version updates. We find that apps owned by subsidiary banks are always
less secure than or equivalent to those owned by parent banks. In addition, we
also track the patching of weaknesses and receive much positive feedback from
banking entities so as to improve the security of banking apps in practice. To
date, we highlight that 21 banks have confirmed the weaknesses we reported. We
also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore,
via in-person or online meetings to help them improve their apps. We hope that
the insights developed in this paper will inform the communities about the gaps
among multiple stakeholders, including banks, academic researchers, and
third-party security companies.
更多查看译文
关键词
Mobile Banking Apps, Vulnerability, Weakness, Empirical Study
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要