Cardpliance: {PCI} {DSS} Compliance of Android Applications

USENIX Security Symposium, pp. 1517-1533, 2020.

Cited by: 0|Bibtex|Views61
EI
Other Links: academic.microsoft.com|dblp.uni-trier.de
Weibo:
The findings from our study demonstrate a positive landscape of Payment Card Industry Data Security Standard compliance in popular Android applications on Google Play

Abstract:

Smartphones and their applications have become a predominant way of computing, and it is only natural that they have become an important part of financial transaction technology. However, applications asking users to enter credit card ...More

Code:

Data:

0
Introduction
  • Mobile devices have become a primary way for users to access technology, and for many users, it is the only way.
  • The casual observer might expect that mobile apps offering paid services and goods will always leverage the established and centralized payment platforms provided by the mobile OS (e.g., Google Pay and Apple Pay).
  • These payment platforms provide users a secure and trusted way to manage their payment information without unnecessarily exposing it to third parties.
  • The fact remains: applications are asking users to enter credit card information
Highlights
  • Mobile devices have become a primary way for users to access technology, and for many users, it is the only way
  • We found that Payment Card Industry Data Security Standard (PCI Data Security Standard (DSS)) distinguishes between cardholder data (CHD) and sensitive account data (SAD), which impacts software processing, as shown in Table 1
  • Mobile Payment applications improve the standard of trade and commerce
  • Their ease and flexibility has attracted a wide range of customers and potential adversaries
  • While our study demonstrates that most of the 358 applications (98.32%) properly handle payment data according to Cardpliance, some applications still improperly store credit card numbers and card verification codes
  • We significantly reduce the time to analyze applications
  • The findings from our study demonstrate a positive landscape of Payment Card Industry (PCI) DSS compliance in popular Android applications on Google Play
Methods
  • The authors opt for manual code review instead of manually running the application due to complexities of reaching screens that request payments.
  • The authors group the data flows that were marked as potential PCI DSS violations by the PCI DSS requirement that it violated from Section 4).
  • If all of the data flows within the PCI DSS requirement group are erroneous, the authors mark the application as a false positive for that PCI DSS requirement group.
  • If the authors successfully validate the data flow, the authors mark the application as containing a PCI DSS violation and start analysis on the PCI DSS requirement group for that application
Results
  • The authors significantly reduce the time to analyze applications.
Conclusion
  • Mobile Payment applications improve the standard of trade and commerce.
  • Their ease and flexibility has attracted a wide range of customers and potential adversaries.
  • The authors designed and used Cardpliance to study 358 popular Android applications on Google Play that request credit card numbers.
Summary
  • Introduction:

    Mobile devices have become a primary way for users to access technology, and for many users, it is the only way.
  • The casual observer might expect that mobile apps offering paid services and goods will always leverage the established and centralized payment platforms provided by the mobile OS (e.g., Google Pay and Apple Pay).
  • These payment platforms provide users a secure and trusted way to manage their payment information without unnecessarily exposing it to third parties.
  • The fact remains: applications are asking users to enter credit card information
  • Objectives:

    The goal of this study is to gauge the impact of PCI DSS non-compliance on real-world users.
  • Methods:

    The authors opt for manual code review instead of manually running the application due to complexities of reaching screens that request payments.
  • The authors group the data flows that were marked as potential PCI DSS violations by the PCI DSS requirement that it violated from Section 4).
  • If all of the data flows within the PCI DSS requirement group are erroneous, the authors mark the application as a false positive for that PCI DSS requirement group.
  • If the authors successfully validate the data flow, the authors mark the application as containing a PCI DSS violation and start analysis on the PCI DSS requirement group for that application
  • Results:

    The authors significantly reduce the time to analyze applications.
  • Conclusion:

    Mobile Payment applications improve the standard of trade and commerce.
  • Their ease and flexibility has attracted a wide range of customers and potential adversaries.
  • The authors designed and used Cardpliance to study 358 popular Android applications on Google Play that request credit card numbers.
Tables
  • Table1: Types of payment information relevant to credit cards
  • Table2: PCI DSS tests defined by source (S), sink (K), and required (R) methods on data flow paths in the DDG
  • Table3: Applications with Validated PCI DSS Violations
Download tables as Excel
Related work
  • Securing payment cards has been an important question leading to seminal papers in computer security [7, 13], yet continues to remain relevant [4, 10, 13, 33, 34]. For example, magnetic stripe cards are easily cloned [4, 7], and only recently have mechanisms to detect this attack been developed [33,34]. Instead, much of the research has examined EMV chip-based cards, finding and mitigating vulnerabilities related to unauthenticated terminals [13] and pre-play attacks [10].

    Payments, however, have moved to mobile devices, making mobile app security an important question for payments. Recent analyses [11, 31] of branchless banking applications

    5https://developer.android.com/training/articles/ security-config found flaws related to misuse of cryptography, flawed authentication, and SSL/TLS misconfiguration. SSL/TLS security is especially important for mobile payments, who primarily rely on HTTP-based APIs. Mobile platforms do this correctly by default, yet developers frequently break certificate validation, creating the possibility for man in the middle attacks [17, 18, 20, 29, 36]. Studies of mobile payment platforms [40] and documentation [12] in China have also demonstrated vulnerabilities in the payment protocols. Further studies on cryptography in Android apps have shown that incorrect use is rampant [14, 25].
Funding
  • This work is supported in part by NSA Science of Security award H9823017-D-0080 and NSF SaTC grant CNS-1513690
  • Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies
Reference
  • Android Component and Services.
    Google ScholarFindings
  • [4] Insert Skimmer + Camera Cover PIN Stealer. https://krebsonsecurity.com/2019/03/insertskimmer-camera-cover-pin-stealer/.
    Findings
  • [5] PCI Compliance Fees, Fines, and Penalties: What Happens After a Breach? https://www.lbmc.com/blog/pci-compliance-fees-fines-and-penalties/.
    Findings
  • [6] The Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org.
    Findings
  • [7] Ross Anderson. Why Cryptosystems Fail. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 1993.
    Google ScholarLocate open access versionFindings
  • [8] Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh,, and Tao Xie. UiRef: Analysis of Sensitive User Inputs in Android Applications. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2017.
    Google ScholarLocate open access versionFindings
  • [9] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2014.
    Google ScholarLocate open access versionFindings
  • [10] Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, and Ross Anderson. Chip and Skim: Cloning EMV Cards with the Pre-play Attack. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2014.
    Google ScholarLocate open access versionFindings
  • [11] Sam Castle, Fahad Pervaiz, Galen Weld, and Richard Anderson. Let’s Talk Money: Evaluating the Security Challenges of Mobile Money in the Developing World. In Proceedings of the ACM Symposium on Computing for Development (DEV), 2016.
    Google ScholarLocate open access versionFindings
  • [12] Yi Chen, Luyi Xing, Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, and Wei Zou. Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis. In Proceedings of the USENIX Security Symposium, 2019.
    Google ScholarLocate open access versionFindings
  • [13] Saar Drimer and Steven J. Murdoch. Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks. In Proceedings of the USENIX Security Symposium, 2007.
    Google ScholarLocate open access versionFindings
  • [14] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.
    Google ScholarLocate open access versionFindings
  • [15] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2010.
    Google ScholarLocate open access versionFindings
  • [16] William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the USENIX Security Symposium, August 2011.
    Google ScholarLocate open access versionFindings
  • [17] Sascha Fahl, Marian Harbach, and Thomas Muders. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012.
    Google ScholarLocate open access versionFindings
  • [18] Sascha Fahl, Marian Harbach, and Henning Perl. Rethinking SSL development in an appified world. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 2013.
    Google ScholarLocate open access versionFindings
  • [19] Xinming Ou Fengguo Wei, Sankardas Roy and Robby. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), November 2014.
    Google ScholarLocate open access versionFindings
  • [20] Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012.
    Google ScholarLocate open access versionFindings
  • [21] Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. Information Flow Analysis of Android Applications in DroidSafe. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), February 2015.
    Google ScholarLocate open access versionFindings
  • [22] Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. IccTA: Detecting Inter-component Privacy Leaks in Android Apps. In Proceedings of the International Conference on Software Engineering (ICSE), 2015.
    Google ScholarLocate open access versionFindings
  • [23] Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 229–240, 2012.
    Google ScholarLocate open access versionFindings
  • [24] Moxie Marlinspike. New Tricks for Defeating SSL in Practice. In Black Hat Europe, 2009.
    Google ScholarLocate open access versionFindings
  • [25] Ildar Muslukhov, Yazan Boshmaf, and Konstantin Beznosov. Source Attribution of Cryptographic API Misuse in Android Applications. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS), 2018.
    Google ScholarLocate open access versionFindings
  • [26] Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, and Min Yang. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS), 2018.
    Google ScholarLocate open access versionFindings
  • [27] Damien Octeau, Somesh Jha, and Patrick McDaniel. Retargeting Android Applications to Java Bytecode. In Procedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), November 2012.
    Google ScholarLocate open access versionFindings
  • [28] Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. Effective Inter-component Communication Mapping in Android with EPPIC: An Essential Step Towards Holistic Security Analysis. In Proceedings of the USENIX Security Symposium, 2013.
    Google ScholarLocate open access versionFindings
  • [29] Lucky Onwuzurike and Emiliano De Cristofaro. Danger is my Middle Name: Experimenting with SSL Vulnerabilities in Android Apps. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2015.
    Google ScholarLocate open access versionFindings
  • [30] Sazzadur Rahaman, Gang Wang, and Danfeng Yao. Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2019.
    Google ScholarLocate open access versionFindings
  • [31] Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor,, and Kevin R.B. Butler. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In Proceedings of the USENIX Security Symposium, 2015.
    Google ScholarLocate open access versionFindings
  • [32] Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic. In Proceeddings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), 2016.
    Google ScholarLocate open access versionFindings
  • [33] Nolen Scaife, Christian Peeters, and Patrick Traynor. Fear the Reaper: Characterization and Fast Detection of Card Skimmers. In Proceedings of the USENIX Security Symposium, 2018.
    Google ScholarLocate open access versionFindings
  • [34] Nolen Scaife, Christian Peeters, Camilo Velez, Hanqing Zhao, Patrick Traynor, and David Arnold. The Cards Aren’t Alright: Detecting Counterfeit Gift Cards Using Encoding Jitter. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2018.
    Google ScholarLocate open access versionFindings
  • [35] PNF Software. JEB, An Android Decompiler. https://www.pnfsoftware.com, 2019.
    Findings
  • [36] David Sounthiraraj, Justin Sahs, Zhiqiang Lin, Latifur Khan, and Garrett Greenwood. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-theMiddle Vulnerabilities in Android Apps. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), February 2014.
    Google ScholarLocate open access versionFindings
  • [37] Nick Statt. Fortnite for Android will ditch Google Play Store for Epic’s website. https://www.theverge.com/2018/8/3/17645982/epic-games-fortniteandroid-version-bypass-google-play-store, August 2018.
    Findings
  • [38] Nick Statt. Tinder is now bypassing the Play https://www.theverge.com/2019/7/19/
    Findings
  • 20701256/tinder-google-play-store-androidbypass-30-percent-cut-avoid-self-install, July 2019.
    Google ScholarFindings
  • [39] Justin Del Vecchio, Feng Shen, Kenny M. Yee, Boyu Wang, Steven Y. Ko, and Lukasz Ziarek. String Analysis of Android Applications. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE), 2015.
    Google ScholarLocate open access versionFindings
  • [40] Wenbo Yang, Yuanyuan Zhang, Juanru Li, Hui Liu, Qing Wang, Yueheng Zhang, and Dawu Gu. Show Me the Money! Finding Flawed Implementations of Thirdparty In-app Payment in Android Apps. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2017.
    Google ScholarLocate open access versionFindings
Full Text
Your rating :
0

 

Tags
Comments