Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.4.827

A Study on Method for Bypassing Verification Function by Manipulating Return Value of Android Payment Application's Security Solution  

You, Jaewook (Gachon University)
Han, Mijeong (Chosun University)
Kim, Kyuheon (Korea University)
Jang, Junyoung (Korea University)
Jin, Hoyong (Sejong University)
Ji, Hanbyeol (Seoul National University of Science and Technology)
Shin, Jeonghoon (THEORI)
Kim, Kyounggon (Center for Information Security Technologies(CIST), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.4, 2018 , pp. 827-838 More about this Journal
Abstract
Since 2014, ease of regulations on financial institutions expanded the mobile payment market based on simple authentication, and this resulted in the emergence of various simple payment services. Although several security solutions have been used to mitigate possible security threats to payment applications, there are vulnerabilities which can still be found due to the structure in which the security solution is applied to the payment service. In this paper, we analyze the payment application and security solution from the process perspective, and prove through experimentation that verification functions of security solutions can be bypassed without detailed analysis of each security function, but by simply manipulating the verification result value. Finally, we propose methods to mitigate the bypass method presented in this paper from three different perspectives, and thereby contribute to the improvement of security level of the payment service.
Keywords
Mobile Payment; Android Security; Security Solution; Android Security Verification;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 Jin-Hyuk Jung, Ju Young Kim, Hyeong-Chan Lee, and Jeong Hyun Yi, "Repackaging Attack on Android Banking Applications and Its Countermeasures," Wireless Personal Communications, Vol. 73, Issue. 4, pp. 1421-1437, Dec. 2013   DOI
2 Hyunjo Kim and Jin-Young Choi, "Research on Secure Coding and Weakness for Implementation of Android-based Dynamic Class Loading," Journal of Korea Multimedia Society, 19(10), pp. 1792-1807, Oct. 2016   DOI
3 Jeong-min Kim, "A study on the vulnerability strengthening of android banking app using dynamic key value," Master's Thesis, Hannam University, Feb. 2017
4 Chanhee Lee, Yoon-Sik Jeong, and Seong-Je Cho, "A Method to Protect Android Applications against Reverse Engineering," Journal of Security Engineering, 10(1), pp. 41-50, Feb. 2013
5 Hyung-Woo Lee, "Android based Mobile Device Rooting Attack Detection and Response Mechanism using Events Extracted from Daemon Processes," Journal of The Korea Institute of Information Security & Cryptology, 23(3), pp. 479-490, Jun. 2013   DOI
6 Taehun Kim, Hyeonmin Ha, Seoyoon Choi, Jaeyeon Jung, and Byung-Gon Chun, "Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps.," Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 179-192, Apr. 2017
7 JEB decompiler software, "JEB", https://www.pnfsoftware.com/, Oct. 2017
8 A tool for reverse engineering Android apk open source, "apktool", https://github.com/iBotPeaches/Apktool, Oct. 2017
9 Kyounggon Kim, "Countermeasure of e-payment app security solution problem," The Korea Contents Association, 16(2), pp. 14-19, Jun. 2018
10 Kyuheon Kim, Mijeong Han, Jaewook You, Junyoung Jang, Hoyong Jin, Hanbyeol Ji, Kyounggon Kim, and Jeonghoon Shin, "A Study on Countermeasure for Bypassing Android Security Solution through Manipulating Return Value," Proceedings of the Korea Institutes of Information Security and Cryptology Conference, Dec. 2017
11 Tim Strazzere, "Dex Education: Practicing Safe Dex," Blackhat USA 2012, Jul. 2012
12 Financial Security Institute, "E-Finance And Financial Security," Financial Security Institute, 1(15), pp. 67-98, Jul. 2015
13 Timothy W.Martin, "North Korea's Army of Hackers Has a New Target: Bank Accounts," The Wall Street Journal, Jul. 2017
14 "Survey on Mobile Payment Service (Fintech1)," Korea consumer Agency, pp. 1-2, May. 2016
15 "Payment trend in the first half of 2017," The Bank of Korea, pp. 2, Sep. 2017
16 "State of Security in the App Economy: Mobile Apps Under Attack," ARXAN, Vol. 1, Research Report, Aug. 2012
17 Kyounggon Kim, "Study on Security Diagnosis Method for Android Mobile App," Master's Thesis, Korea University, Feb. 2015
18 "HPE Security Research - Cyber Risk Report 2016," Hewlett Packard Enterprise, pp. 42, Feb. 2016
19 Heesok Seo, "Status of Legal Regulations on Electronic Payments in Korea," Journal of Consumer Law, 2(2), pp. 155-176, Sep. 2016
20 Woojin Lee and Kyungho Lee, "A Study on the Vulnerability of Using Intermediate Language in Android: Bypassing Security Check Point in Android-Based Banking Applications," Journal of The Korea Institute of Information Security & Cryptology, 27(3), pp. 549-562, Jun. 2017   DOI
21 Soonil Kim, Sunghoon Kim, and Dong Hoon Lee, "A study on the vulnerability of integrity verification functions of android-based smartphone banking applications," Journal of The Korea Institute of Information Security & Cryptology, 23(4), pp. 743-755, Aug. 2013   DOI