Potential Vulnerability Analysis of Mobile Banking

PotentialVulnerability Analysis of Mobile Banking

INTRODUCTION 

 With the increase of the distribution rate of Smartphones, a flood of various apps that reflects a variety of users’demands are coming out. There are various platforms of Smartphones such as Android, iOSand Windows Phone. Currently, Android ranks top in the market share of Smartphones in the entire world by platform. Its market share is 79.3%[1].However, malicious codes targeting Android Smartphones are increasing in proportion. Repackaging accounts for the greatest proportion of the methods of distributing malicious apps. In other words, attackers recover source code of famous apps via reverse engineering, insert malicious code and then redistribute them[2] . https://codeshoppy.com/php-projects-titles-topics.html Especially, if anapp like banking app, which deposits and withdraws money in/from the user’s account and handles the user’s sensitive personal information is contaminated, a very serious problem may be caused. The data used as well as appsare stored and managed together.To prevent theseimportant codes or information,Android uses a technique called permission. Using permissions that have nothing to do with the functions of an app excessively or using a dangerous permission is likely to be abused by an attacker. This paperanalyzes the status of the use of the permissions in a banking app, one of the most sensitive apps in security, and prepares the basis of countermeasures by analyzing its risks.

ANDROID SECURITY SYSTEM

 A.Concept of Android SecurityWhen an app is installed, the relevant folder is generated to save source code and data on the use. The security system of Android is based on JAVA’s sandbox structure, which in principle, cannot approach a code or data of another app. Thus, to perform a function that may affect the system or another app: e.g. using data or resources of another app, an app should have a permission to perform the function [3]. Every app must have an AndroidManifest.xml file in its root directory. The manifest presents essential informationabout the application to the Android system, information the system must have before it can run any of the application's code[3]. Also, information about the permission necessary to run an app is included in this manifest file.B.Maintaining the Integrity of the SpecificationsAndroid PermissionA permission is a restriction limiting access to a part of the code or to data on the device. The limitation is imposed to protect critical data and code that could be misused to distort or damage the user experience. If an application needs access to a feature protected by a permission, it must declare that it requires that permission in the manifest. Then, when the application is installed on the device, the installer determines whether or not to grant the requested permission and, in some cases, asking the user [3]. Each permission may have various attributes including a "protectionLevel". The protectionLevelcharacterizes the potential risk implied in the permission. The kind and meaning of the protectionLevelof permission may have are like Table 1. Among these, since a ‘dangerous’permission has a high risk, attention should be used, and if misused, the user may be damaged.

CONCLUSION 

Since banking apps are the ones that handle sensitive personal information and money transactions, their safety is of most importance. This study investigated and analyzed the status of use of banking apps regarding permissions provided as one of the security mechanisms by Android. The kinds and numbers of the permissions used by each app varied greatly. In addition, the permissions that might cause serious impacts on the system and other apps if misused took a large proportion. Excessive permissions were mostly demanded for various additional services, but some were included due to a lack of the developer’knowledge or an uncleaned remnant from testing. Whether intended or not, it is analyzed that using dangerous permissions may cause serious damages when apps were repackaged into malicious apps, which could easily avoid the user’s notice. Therefore, it is necessary to study direct/indirect security systems through the restrictions or guides on banking apps.