Visible to the public A Study of Security Weaknesses in Android Payment Service Provider SDKs

Payment Service Providers (PSP) enable application developers to effortlessly integrate complex payment processing code using software development toolkits (SDKs). While providing SDKs reduces the risk of application developers introducing payment vulnerabilities, vulnerabilities in the SDKs themselves can impact thousands of applications. In this work, we propose a static analysis tool for assessing PSP SDKs using OWASP’s MASVS industry standard for mobile application security. A key challenge for the work was reapplying both the MASVS and program analysis tools designed to analyze whole applications to study only a specific SDK. Our preliminary findings show that a number of payment processing libraries fail to meet MASVS security requirements, with evidence of persisting sensitive data insecurely, using outdated cryptography, and improperly configuring TLS. As such, our investigation demonstrates the value of applying security analysis at SDK granularity to prevent widespread deployment of vulnerable code.

Samin Yaseer Mahmud is a fourth year Ph.D student in the Department of Computer Science at North Carolina State University. He is working as a Research Assistant at Wolfpack Security and Privacy Research Lab. He is advised by Dr. William Enck. His research interests broadly fall within the areas of systems security and privacy, currently with a focus on analyzing and improving the security of mobile payment systems and protocols.

Creative Commons 2.5

Other available formats:

A Study of Security Weaknesses in Android Payment Service Provider SDKs
Switch to experimental viewer