Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Fri 10 Jul 2020 07:36 - 07:48 at Goguryeo - I20-Android Testing Chair(s): Shing-Chi Cheung

Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge financial losses caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps.

Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named Ausera, which leverages static program analysis techniques and sensitive keyword identification. By leveraging Ausera, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the weakness fixing and receive much useful feedback from banking entities so as to improve the security of banking apps in practice. We further find that weaknesses derived from outdated versions of banking apps or third-party libraries are highly prone to being exploited by attackers. To date, we highlight that 21 banks have confirmed the weaknesses we reported (including 126 weaknesses in total). We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Fri 10 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

07:00 - 08:00: I20-Android TestingPaper Presentations / Technical Papers at Goguryeo
Chair(s): Shing-Chi CheungDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology
07:00 - 07:12
Talk
Technical Papers
Jiwei YanInstitute of Software, Chinese Academy of Sciences, Hao LiuBeijing University of Technology, Linjie PanInstitute of Software, Chinese Academy of Sciences, Jun YanInstitute of Software, Chinese Academy of Sciences, Jian ZhangInstitute of Software, Chinese Academy of Sciences, Bin LiangRenmin University of China, China
07:12 - 07:24
Talk
Technical Papers
Zhen DongNational University of Singapore, Marcel BöhmeMonash University, Lucia CojocaruPolitehnica University of Bucharest, Abhik RoychoudhuryNational University of Singapore, Singapore
07:24 - 07:36
Talk
Technical Papers
Shin Hwei TanSouthern University of Science and Technology, Ziqiang LiSouthern University of Science and Technology
Media Attached File Attached
07:36 - 07:48
Talk
Technical Papers
Sen ChenNanyang Technological University, Singapore, Lingling FanNanyang Technological University, Singapore, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Ting SuETH Zurich, Switzerland, Jason Minhui XueThe University of Adelaide, Yinxing Xue, Yang LiuNanyang Technological University, Singapore, Lihua XuNew York University Shanghai
Pre-print
07:48 - 08:00
Talk
Technical Papers
Ju QianNanjing University of Aeronautics and Astronautics, Zhengyu ShangNanjing University of Aeronautics and Astronautics, Shuoyan YanNanjing University of Aeronautics and Astronautics, Yan Wang, Lin ChenNanjing University