Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps
Download: Paper (PDF)
Date: 27 Feb 2017
Document Type: Reports
Associated Event: NDSS Symposium 2017
The massive growth of transaction via third-party cashier has attracted numerous mobile apps to embed in-app payment functionality. Although this feature makes the payment easy within apps, transactions via current third-party in-app payment involve more sophisticated interactions between multiple participants compared to those using traditional payments. The implementations in mobile apps also lack security considerations. Therefore, such transaction exposes new attack vectors and could be exploited more easily, leading to serious deceptions such as payment forging.
To investigate current third-party mobile payment ecosystem and find potential security threats, we conduct an in-depth analysis on world s largest mobile payment market China s mobile payment market. We study four mainstream third-party mobile payment cashiers, and conclude unified security rules that must be regulated by both cashier and merchant. We also illustrate the serious consequences of violating these security rules, which may cause up to four types of attacks against online and offline transactions. Besides, we detect the seven security rule violations to the payment in Android apps. Our detection result shows not only the prevalence of third-party in-app payment, but also the awful status quo of its security. Over 37% Android apps with at least 100,000 users embed third-party payment functionality. Hundreds of them violate security rule(s) and face with various potential security risks, allowing an attacker to consume almost every aspect of commodities or services in life without actually purchasing them or deceiving others to pay for them. Our further investigation reveals that the cashiers not only have improperly designed SDK, which may expand the attack effects, but also release ambiguous documents and even vulnerable sample codes, directly leading to the mistakes committed by merchants. Besides the cashiers ignorance for security, our successful exploits to several apps show that these flawed implementations can cause financial loss in real world. We have reported these findings to all the related parties and received positive feedbacks.