Show simple item record

dc.contributor.author
Chen, Sen
dc.contributor.author
Fan, Lingling
dc.contributor.author
Meng, Guozhu
dc.contributor.author
Su, Ting
dc.contributor.author
Xue, Minhui
dc.contributor.author
Xue, Yinxing
dc.contributor.author
Liu, Yang
dc.contributor.author
Xu, Lihua
dc.date.accessioned
2020-11-09T12:50:45Z
dc.date.available
2020-11-04T12:10:59Z
dc.date.available
2020-11-09T12:50:45Z
dc.date.issued
2020-06
dc.identifier.isbn
978-1-4503-7121-6
en_US
dc.identifier.other
10.1145/3377811.3380417
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/449707
dc.description.abstract
Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps. Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related security weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named Ausera, which leverages static program analysis techniques and sensitive keyword identification. By leveraging Ausera, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the patching of weaknesses and receive much positive feedback from banking entities so as to improve the security of banking apps in practice. We further find that weaknesses derived from outdated versions of banking apps or third-party libraries are highly prone to being exploited by attackers. To date, we highlight that 21 banks have confirmed the weaknesses we reported (including 126 weaknesses in total). We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.
en_US
dc.language.iso
en
en_US
dc.publisher
Association for Computing Machinery
en_US
dc.title
An empirical assessment of security risks of global Android banking apps
en_US
dc.type
Conference Paper
ethz.book.title
Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering
en_US
ethz.pages.start
1310
en_US
ethz.pages.end
1322
en_US
ethz.event
42nd ACM/IEEE International Conference on Software Engineering (ICSE 2020) (virtual)
en_US
ethz.event.location
Seoul, South Korea
ethz.event.date
June 27 - July 19, 2020
ethz.notes
Due to the Coronavirus (COVID-19) the conference was conducted virtually.
en_US
ethz.identifier.wos
ethz.publication.place
New York, NY
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::09628 - Su, Zhendong / Su, Zhendong
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::09628 - Su, Zhendong / Su, Zhendong
en_US
ethz.date.deposited
2020-11-04T12:11:07Z
ethz.source
FORM
ethz.eth
yes
en_US
ethz.availability
Metadata only
en_US
ethz.rosetta.installDate
2020-11-09T12:50:55Z
ethz.rosetta.lastUpdated
2024-02-02T12:27:37Z
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=An%20empirical%20assessment%20of%20security%20risks%20of%20global%20Android%20banking%20apps&rft.date=2020-06&rft.spage=1310&rft.epage=1322&rft.au=Chen,%20Sen&Fan,%20Lingling&Meng,%20Guozhu&Su,%20Ting&Xue,%20Minhui&rft.isbn=978-1-4503-7121-6&rft.genre=proceeding&rft_id=info:doi/10.1145/3377811.3380417&rft.btitle=Proceedings%20of%20the%20ACM/IEEE%2042nd%20International%20Conference%20on%20Software%20Engineering
 Search print copy at ETH Library

Files in this item

FilesSizeFormatOpen in viewer

There are no files associated with this item.

Publication type

Show simple item record