An Evaluation of Basic Protection Mechanisms in Financial Apps on Mobile Devices
Abstract
This thesis concerns the robustness of security checks in financial mobile applications (or simply
financial apps). The best practices recommended by OWASP for developing such apps demand
that developers include several checks in these apps, such as detection of running on a rooted
device, certificate checks, and so on. Ideally, these checks must be introduced in a sophisticated
way, and must not be locatable through trivial static analysis, so that attackers cannot bypass
them trivially. In this thesis, we conduct a large-scale study focused on financial apps on the
Android platform and determine the robustness of these checks. Our study shows that among
the apps with at least one security check, > 50% of such apps at least one check can be trivially
bypassed. Some of such financial apps we considered have installation counts exceeding 100
million from Google Play. We believe that the results of our study can guide developers of these
apps in inserting security checks in a more robust fashion.