An Evaluation of Basic Protection Mechanisms in Financial Apps on Mobile Devices

Abstract

This thesis concerns the robustness of security checks in financial mobile applications (or simply financial apps). The best practices recommended by OWASP for developing such apps demand that developers include several checks in these apps, such as detection of running on a rooted device, certificate checks, and so on. Ideally, these checks must be introduced in a sophisticated way, and must not be locatable through trivial static analysis, so that attackers cannot bypass them trivially. In this thesis, we conduct a large-scale study focused on financial apps on the Android platform and determine the robustness of these checks. Our study shows that among the apps with at least one security check, > 50% of such apps at least one check can be trivially bypassed. Some of such financial apps we considered have installation counts exceeding 100 million from Google Play. We believe that the results of our study can guide developers of these apps in inserting security checks in a more robust fashion.