隨著科技發展,行動裝置逐漸普及,而數位經濟時代的來臨使得行動支付成為未來發展的趨勢,加上行動裝置上大多已經裝載生物辨識功能,進一步提升了行動支付的便利性。現有大多行動支付應用程式因便利性大多支援生物辨識功能,而行動支付應用程式中生物辨識功能的安全性會取決於開發人員編寫程式碼的方式。 本研究使用Android生物辨識功能驗證工具來驗證台灣常用的9款Android行動支付應用程式,利用Frida注入生物辨識繞過腳本,再透過靜態與動態分析瞭解程式運作邏輯,發現大多數行動支付應用程式沒有使用安全的方式撰寫生物辨識功能,導致生物辨識功能可以被惡意的第三方繞過。後續我們將這些漏洞透過Google Play商店上的開發者信箱進行通報,協助提升整體行動支付應用程式的安全性。;With the development of technology, mobile devices are gradually becoming more and more popular, and the advent of the digital economy has made mobile payment a trend for the future, and most mobile devices are already equipped with biometric functions, further enhancing the convenience of mobile payment apps. Most existing mobile payment apps support biometric features for convenience, and the security of biometric features in mobile payment apps will depend on the way the code is written by the developer. This study uses the Android biometric verification tool to verify 9 popular Android mobile payment apps in Taiwan, using Frida to inject biometric bypass scripts, and then using static and dynamic analysis to understand the logic of the program′s operation, and found that most of the mobile payment apps did not use a secure way to write biometric functions, resulting in biometric results that can be bypassed by malicious third parties. These vulnerabilities are subsequently reported through the developer mailbox on the Google Play Store to help improve the overall security of mobile payment apps.
