Visible to the public Study of Security Weaknesses in Android Payment Service Provider SDKsConflict Detection Enabled

TitleStudy of Security Weaknesses in Android Payment Service Provider SDKs
Publication TypeConference Paper
Year of Publication2022
AuthorsSamin Yaseer Mahmud, William Enck
Conference NameProceedings of the Symposium and Bootcamp on the Science of Security (HotSoS) Poster Session
Date Published04/2022
Conference LocationUrbana-Champaign, USA
Keywords2022: April, android, mobile payment security, NCSU, Policy-Governed Secure Collaboration, program analysis, Reasoning about Accidental and Malicious Misuse via Formal Methods

Payment Service Providers (PSP) enable application developers to effortlessly integrate complex payment processing code using software development toolkits (SDKs). While providing SDKs reduces the risk of application developers introducing payment vulnerabilities, vulnerabilities in the SDKs themselves can impact thousands of applications. In this work, we propose a static analysis tool for assessing PSP SDKs using OWASP's MASVS industry standard for mobile application security. A key challenge for the work was reapplying both the MASVS and program analysis tools designed to analyze whole applications to study only a specific SDK. Our preliminary findings show that a number of payment processing libraries fail to meet MASVS security requirements, with evidence of persisting sensitive data insecurely, using outdated cryptography, and improperly configuring TLS. As such, our investigation demonstrates the value of applying security analysis at SDK granularity to prevent widespread deployment of vulnerable code.

Citation Keynode-87150
Refereed DesignationRefereed