BSET: Android 行動支付之生物辨識功能驗證工具

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：103

、訪客IP：3.133.144.140

姓名

郭峻安(Chun-An Kuo) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

BSET: Android 行動支付之生物辨識功能驗證工具
(BSET: A Biometric Security Evaluation Tool for Android Mobile Payment)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2027-6-30以後開放)

摘要(中)

隨著科技發展，行動裝置逐漸普及，而數位經濟時代的來臨使得行動支付成為未來發展的趨勢，加上行動裝置上大多已經裝載生物辨識功能，進一步提升了行動支付的便利性。現有大多行動支付應用程式因便利性大多支援生物辨識功能，而行動支付應用程式中生物辨識功能的安全性會取決於開發人員編寫程式碼的方式。
本研究使用Android生物辨識功能驗證工具來驗證台灣常用的9款Android行動支付應用程式，利用Frida注入生物辨識繞過腳本，再透過靜態與動態分析瞭解程式運作邏輯，發現大多數行動支付應用程式沒有使用安全的方式撰寫生物辨識功能，導致生物辨識功能可以被惡意的第三方繞過。後續我們將這些漏洞透過Google Play商店上的開發者信箱進行通報，協助提升整體行動支付應用程式的安全性。

摘要(英)

With the development of technology, mobile devices are gradually becoming more and more popular, and the advent of the digital economy has made mobile payment a trend for the future, and most mobile devices are already equipped with biometric functions, further enhancing the convenience of mobile payment apps. Most existing mobile payment apps support biometric features for convenience, and the security of biometric features in mobile payment apps will depend on the way the code is written by the developer.
This study uses the Android biometric verification tool to verify 9 popular Android mobile payment apps in Taiwan, using Frida to inject biometric bypass scripts, and then using static and dynamic analysis to understand the logic of the program′s operation, and found that most of the mobile payment apps did not use a secure way to write biometric functions, resulting in biometric results that can be bypassed by malicious third parties. These vulnerabilities are subsequently reported through the developer mailbox on the Google Play Store to help improve the overall security of mobile payment apps.

關鍵字(中)

★ 行動支付應用程式
★ Android
★ 生物辨識
★ Frida

關鍵字(英)

★ Mobile Payment apps
★ Android
★ Biometric
★ Frida

論文目次

一、緒論 1
1.1 研究背景 1
1.2 研究目的 3
1.3 研究範圍與限制 3
二、背景與回顧相關研究 5
2.1 Android 系統架構 5
2.2 Android 應用程式結構 6
2.3 Android 應用程式的安全機制 7
2.3.1 APK 混淆 (obfuscator) 7
2.3.2 APK 加殼 (Packer) 7
2.3.3 Android TEE 8
2.3.4 Android 生物辨識機制 9
2.4 Android 逆向工程 12
2.4.1 APK 檢測工具 12
2.4.2 APK 反編譯工具 13
2.4.3 APK 脫殼 (unpacker) 14
2.4.4 Magisk 14
2.4.5 動態分析工具 14
2.5 相關文獻回顧 15
2.6 生物辨識繞過腳本介紹 19
三、研究方法與架構 23
3.1 檢測架構 23
3.2 BSET-靜態分析模組 26
3.3 BSET-動態分析模組 28
四、實驗結果分析與討論 31
4.1 實驗環境 31
4.2 實驗流程 32
4.2.1 Frida Hook 與腳本注入 32
4.2.2 Objection 動態分析 35
4.2.3 取得 APK 36
4.2.4 APK 脫殼 36
4.2.5 APK 靜態分析 38
4.2.6 修改 APK 重新打包 38
4.3 例外處理 43
4.4 實驗結果與問題回報 45
4.5 實驗結果分析 49
4.5.1 無法繞過之結果分析 49
4.5.2 可以繞過之結果分析 52
4.6 後續追蹤 59
五、結論與未來研究方向 63
5.1 結論 63
5.2 未來研究方向 64
參考文獻 65

參考文獻

1. Li, Q. et al. Early transmission dynamics in Wuhan, China, of novel coronavirus–infected pneumonia. New England journal of medicine (2020).
2. 資策會產業情報研究所（ MIC）. 【行動支付大調查系列二】疫情加速「網路商店、外送、繳費」場域成長每日用戶成長五倍均消破千用戶成長一成 https://mic.iii.org.tw/news.aspx?id=618.
3. Zhao, Y. & Bacao, F. How does the pandemic facilitate mobile payment? An investigation on users＇ perspective under the COVID-19 pandemic. International journal of environmental research and public health 18, 1016 (2021).
4. 行政院-新聞傳播處. 加速推動行動支付普及 https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/84ca877a-f946-4684-a19d-732a351dc448.
5. 未來流通研究所. 2021【產業地圖圖解】台灣「電子支付」產業地圖 https://www.mirai.com.tw/2021-taiwan-e-payment-industry-map-diagram/.
6. Mayron, L. M. Biometric authentication on mobile devices. IEEE Security & Privacy 13,70–73 (2015).
7. Biometrics https://source.android.com/security/biometric.
8. Android Open Source Project https://source.android.com/.
9. Unuchek, R. Rooting your Android: Advantages, disadvantages, and snags. Luettavissa:https://www.kaspersky.com/blog/android-root-faq/17135/. Luettu 21, 2017 (2017).
10. Agrawal, M., Varshney, G., Saumya, K. P. S. & Verma, M. Pegasus: Zero-Click spyware attack–its countermeasures and challenges.
11. Nokia. Threat Intelligence Report 2021 https : / / onestore . nokia . com / asset /210870.
12. Ahmed, W. et al. Security in next generation mobile payment systems: A comprehensive survey. IEEE Access (2021).
13. Platform Architecture https://developer.android.com/guide/platform.
14. FingerprintManager https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager%5C#authenticate(android.hardware.fingerprint.FingerprintManager.CryptoObject,%5C%20android.os.CancellationSignal,%5C%20int,%5C%20android.hardware.fingerprint.FingerprintManager.AuthenticationCallback,%5C%20android.os.Handler.
15. BiometricPrompt https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt%5C#authenticate(android.os.CancellationSignal,%5C%20java.util.concurrent.Executor,%5C%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback.
16. Kamil Breński, K. P. & Fruba, M. How Secure is your Android Keystore Authentication ?https://labs.f-secure.com/blog/how-secure-is-your-android-keystoreauthentication.
17. rednaga. APKiD gives you information about how an APK was made https://github.com/rednaga/APKiD.
18. skylot. Dex to Java decompiler https://github.com/skylot/jadx.
19. rednaga. A tool for reverse engineering Android apk files https://github.com/rednaga/APKiD.
20. hluwa. frida-dexdump is a frida tool to find and dump dex in memory to support security engineers in analyzing malware https://github.com/hluwa/frida-dexdump.
21. topjohnwu. Magisk is a suite of open source software for customizing Android, supporting devices higher than Android 5.0 https://github.com/topjohnwu/Magisk.
22. Sensepost. Objection - Runtime Mobile Exploration https://github.com/sensepost/objection/wiki/Components.
23. Fingerprint HIDL https://source.android.google.cn/security/authentication/fingerprint-hal.
24. Gomez-Barrero, M. & Galbally, J. Reversing the irreversible: A survey on inverse biometrics. Computers & Security 90, 101700 (2020).
25. Mayrhofer, R. & Sigg, S. Adversary models for mobile device authentication. ACM Computing Surveys (CSUR) 54, 1–35 (2021).
26. OWASP Mobile Application Security Verification Standard (MASVS) https://github.com/OWASP/owasp-masvs.
27. OWASP. OWASP Mobile Security Testing Guide https://owasp.org/www-projectmobile-security-testing-guide/.
28. V4: Authentication and Session Management Requirements https://mobile-security.gitbook.io/masvs/security-requirements/0x09-v4-authentication%5C_and%5C_session%5C_management%5C_requirements.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2022-6-14

推文