摘要(英) |
With the development of technology, mobile devices are gradually becoming more and more popular, and the advent of the digital economy has made mobile payment a trend for the future, and most mobile devices are already equipped with biometric functions, further enhancing the convenience of mobile payment apps. Most existing mobile payment apps support biometric features for convenience, and the security of biometric features in mobile payment apps will depend on the way the code is written by the developer.
This study uses the Android biometric verification tool to verify 9 popular Android mobile payment apps in Taiwan, using Frida to inject biometric bypass scripts, and then using static and dynamic analysis to understand the logic of the program′s operation, and found that most of the mobile payment apps did not use a secure way to write biometric functions, resulting in biometric results that can be bypassed by malicious third parties. These vulnerabilities are subsequently reported through the developer mailbox on the Google Play Store to help improve the overall security of mobile payment apps. |
參考文獻 |
1. Li, Q. et al. Early transmission dynamics in Wuhan, China, of novel coronavirus–infected pneumonia. New England journal of medicine (2020).
2. 資策會產業情報研究所( MIC). 【行動支付大調查系列二】疫情加速「網路商店、外送、繳費」場域成長每日用戶成長五倍均消破千用戶成長一成 https://mic.iii.org.tw/news.aspx?id=618.
3. Zhao, Y. & Bacao, F. How does the pandemic facilitate mobile payment? An investigation on users' perspective under the COVID-19 pandemic. International journal of environmental research and public health 18, 1016 (2021).
4. 行政院-新聞傳播處. 加速推動行動支付普及 https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/84ca877a-f946-4684-a19d-732a351dc448.
5. 未來流通研究所. 2021【產業地圖圖解】台灣「電子支付」產業地圖 https://www.mirai.com.tw/2021-taiwan-e-payment-industry-map-diagram/.
6. Mayron, L. M. Biometric authentication on mobile devices. IEEE Security & Privacy 13,70–73 (2015).
7. Biometrics https://source.android.com/security/biometric.
8. Android Open Source Project https://source.android.com/.
9. Unuchek, R. Rooting your Android: Advantages, disadvantages, and snags. Luettavissa:https://www.kaspersky.com/blog/android-root-faq/17135/. Luettu 21, 2017 (2017).
10. Agrawal, M., Varshney, G., Saumya, K. P. S. & Verma, M. Pegasus: Zero-Click spyware attack–its countermeasures and challenges.
11. Nokia. Threat Intelligence Report 2021 https : / / onestore . nokia . com / asset /210870.
12. Ahmed, W. et al. Security in next generation mobile payment systems: A comprehensive survey. IEEE Access (2021).
13. Platform Architecture https://developer.android.com/guide/platform.
14. FingerprintManager https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager%5C#authenticate(android.hardware.fingerprint.FingerprintManager.CryptoObject,%5C%20android.os.CancellationSignal,%5C%20int,%5C%20android.hardware.fingerprint.FingerprintManager.AuthenticationCallback,%5C%20android.os.Handler.
15. BiometricPrompt https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt%5C#authenticate(android.os.CancellationSignal,%5C%20java.util.concurrent.Executor,%5C%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback.
16. Kamil Breński, K. P. & Fruba, M. How Secure is your Android Keystore Authentication ?https://labs.f-secure.com/blog/how-secure-is-your-android-keystoreauthentication.
17. rednaga. APKiD gives you information about how an APK was made https://github.com/rednaga/APKiD.
18. skylot. Dex to Java decompiler https://github.com/skylot/jadx.
19. rednaga. A tool for reverse engineering Android apk files https://github.com/rednaga/APKiD.
20. hluwa. frida-dexdump is a frida tool to find and dump dex in memory to support security engineers in analyzing malware https://github.com/hluwa/frida-dexdump.
21. topjohnwu. Magisk is a suite of open source software for customizing Android, supporting devices higher than Android 5.0 https://github.com/topjohnwu/Magisk.
22. Sensepost. Objection - Runtime Mobile Exploration https://github.com/sensepost/objection/wiki/Components.
23. Fingerprint HIDL https://source.android.google.cn/security/authentication/fingerprint-hal.
24. Gomez-Barrero, M. & Galbally, J. Reversing the irreversible: A survey on inverse biometrics. Computers & Security 90, 101700 (2020).
25. Mayrhofer, R. & Sigg, S. Adversary models for mobile device authentication. ACM Computing Surveys (CSUR) 54, 1–35 (2021).
26. OWASP Mobile Application Security Verification Standard (MASVS) https://github.com/OWASP/owasp-masvs.
27. OWASP. OWASP Mobile Security Testing Guide https://owasp.org/www-projectmobile-security-testing-guide/.
28. V4: Authentication and Session Management Requirements https://mobile-security.gitbook.io/masvs/security-requirements/0x09-v4-authentication%5C_and%5C_session%5C_management%5C_requirements. |