Visible to the public Analysis of Payment Service Provider SDKs in AndroidConflict Detection Enabled

TitleAnalysis of Payment Service Provider SDKs in Android
Publication TypeConference Paper
Year of Publication2022
AuthorsSamin Yaseer Mahmud, K. Virgil English, Seaver Thorn, William Enck, Adam Oest, Muhammad Saad
Conference NameAnnual Computer Security Applications Conference (ACSAC)
Date Published12/2022
Conference LocationAustin, Texas
Keywords2022: October, NCSU, Policy-Governed Secure Collaboration, Reasoning about Accidental and Malicious Misuse via Formal Methods

Payment Service Providers (PSPs) provide software development toolkits (SDKs) for integrating complex payment processing code into applications. Security weaknesses in payment SDKs can impact thousands of applications. In this work, we propose AARDroid for statically assessing payment SDKs against OWASP's MASVS industry standard for mobile application security. In creating AARDroid, we adapted application-level requirements and program analysis tools for SDK-specific analysis, tailoring dataflow analysis for SDKs using domain-specific ontologies to infer the security semantics of application programming interfaces (APIs). We apply AARDroid to 50 payment SDKs and discover security weaknesses including saving unencrypted credit card information to files, use of insecure cryptographic primitives, insecure input methods for credit card information, and insecure use of WebViews. These results demonstrate the value of applying security analysis at the SDK granularity to prevent the widespread deployment of insecure code.

Citation Keynode-89106
Refereed DesignationRefereed