AUSERA: Large-Scale Automated Security Risk Assessment of Global Mobile Banking Apps

by   Sen Chen, et al.

Contemporary financial technology (FinTech) that enables cashless mobile payment has been widely adopted by financial institutions, such as banks, due to its convenience and efficiency. However, FinTech has also made massive and dynamic transactions susceptible to security risks. Given large financial losses caused by such vulnerabilities, regulatory technology (RegTech) has been developed, but more comprehensive security risk assessment is specifically desired to develop robust, scalable, and efficient financial activities. In this paper, we undertake the first automated security risk assessment and focus on global banking apps to examine FinTech. First, we analyze a large number of banking apps and propose a comprehensive set of security weaknesses widely existent in these apps. Second, we design a three-phase automated security risk assessment system (Ausera), which combines natural language processing and static analysis of data and control flows, to efficiently identify security weaknesses of banking apps. We performed experiments on 693 real-world banking apps across over 80 countries and unveiled 2,157 weaknesses. To date, 21 banks have acknowledged the weaknesses that we reported. We find that outdated version of banking apps, pollution from third-party libraries, and weak hash functions are all likely to be exploited by attackers. We also show that banking apps of different provenance exhibit various types of security weaknesses, mainly due to economies and regulations that take shape. Given the drastic change in the nature of intermediation, it behooves the RegTech companies and all stakeholders to understand the characteristics and consequences of security risks brought by contemporary FinTech.


Taxonomy of Security Weaknesses in Java and Kotlin Android Apps

Android is nowadays the most popular operating system in the world, not ...

Risk Analysis and Policy Enforcement of Function Interactions in Robot Apps

Robot apps are becoming more automated, complex and diverse. An app usua...

Challenges in Developing Secure Mobile Health Applications, A Systematic Review

Mobile health (mHealth) applications (apps) have gained significant popu...

CryptoEval: Evaluating the Risk of Cryptographic Misuses in Android Apps with Data-Flow Analysis

The misunderstanding and incorrect configurations of cryptographic primi...

Uncovering and Exploiting Hidden APIs in Mobile Super Apps

Mobile applications, particularly those from social media platforms such...

Vessels Cybersecurity: Issues, Challenges, and the Road Ahead

Vessels cybersecurity is recently gaining momentum, as a result of a few...

State Compression and Quantitative Assessment Model for Assessing Security Risks in the Oil and Gas Transmission Systems

The SCADA system is the foundation of the large-scale industrial control...

Please sign up or login with your details

Forgot password? Click here to reset