An Empirical Assessment of Security Risks of Global Android Banking Apps (ICSE 2020 - Technical Papers)

Write a Blog >>

Wed 24 June - Thu 16 July 2020

Who

Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Jason Minhui Xue, Yinxing Xue, Yang Liu, Lihua Xu

Track

ICSE 2020 Technical Papers

Time Zone

The program is currently displayed in (UTC) Coordinated Universal Time.

Use conference time zone: (UTC) Coordinated Universal TimeSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 10 Jul 2020 07:36 - 07:48 at Goguryeo - I20-Android Testing Chair(s): Shing-Chi Cheung

Abstract

Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge financial losses caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps.

Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named Ausera, which leverages static program analysis techniques and sensitive keyword identification. By leveraging Ausera, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the weakness fixing and receive much useful feedback from banking entities so as to improve the security of banking apps in practice. We further find that weaknesses derived from outdated versions of banking apps or third-party libraries are highly prone to being exploited by attackers. To date, we highlight that 21 banks have confirmed the weaknesses we reported (including 126 weaknesses in total). We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Link to Preprint

https://sen-chen.github.io/img_cs/pdf/icse2020_ausera.pdf

Sen Chen

Nanyang Technological University, Singapore

Singapore

Lingling Fan

Nanyang Technological University, Singapore

Singapore

Guozhu Meng

Institute of Information Engineering, Chinese Academy of Sciences

China

Ting Su

ETH Zurich, Switzerland

Switzerland

Jason Minhui Xue

The University of Adelaide

Australia

Yinxing Xue

Yang Liu

Nanyang Technological University, Singapore

Singapore

Lihua Xu

New York University Shanghai

Time Zone

The program is currently displayed in (UTC) Coordinated Universal Time.

Use conference time zone: (UTC) Coordinated Universal TimeSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Fri 10 Jul
Displayed time zone: (UTC) Coordinated Universal Time change

07:00 - 08:00	I20-Android TestingTechnical Papers at Goguryeo Chair(s): Shing-Chi Cheung Department of Computer Science and Engineering, The Hong Kong University of Science and Technology

07:00 12m Talk		Multiple-Entry Testing of Android Applications by Constructing Activity Launching ContextsTechnical Technical Papers Jiwei Yan Institute of Software, Chinese Academy of Sciences, Hao Liu Beijing University of Technology, Linjie Pan Institute of Software, Chinese Academy of Sciences, Jun Yan Institute of Software, Chinese Academy of Sciences, Jian Zhang Institute of Software, Chinese Academy of Sciences, Bin Liang Renmin University of China, China
07:12 12m Talk		Time-travel Testing of Android AppsTechnical Technical Papers Zhen Dong National University of Singapore, Marcel Böhme Monash University, Lucia Cojocaru Politehnica University of Bucharest, Abhik Roychoudhury National University of Singapore, Singapore
07:24 12m Talk		Collaborative Bug Finding for Android AppsTechnical Technical Papers Shin Hwei Tan Southern University of Science and Technology, Ziqiang Li Southern University of Science and Technology Media Attached File Attached
07:36 12m Talk		An Empirical Assessment of Security Risks of Global Android Banking AppsTechnical Technical Papers Sen Chen Nanyang Technological University, Singapore, Lingling Fan Nanyang Technological University, Singapore, Guozhu Meng Institute of Information Engineering, Chinese Academy of Sciences, Ting Su ETH Zurich, Switzerland, Jason Minhui Xue The University of Adelaide, Yinxing Xue , Yang Liu Nanyang Technological University, Singapore, Lihua Xu New York University Shanghai Pre-print
07:48 12m Talk		RoScript: A Visual Script Driven Truly Non-Intrusive Robotic Testing System for Touch Screen ApplicationsTechnical Technical Papers Ju Qian Nanjing University of Aeronautics and Astronautics, Zhengyu Shang Nanjing University of Aeronautics and Astronautics, Shuoyan Yan Nanjing University of Aeronautics and Astronautics, Yan Wang , Lin Chen Nanjing University