Security Risk Assessment Model for Cryptographic Algorithms Misuse in Mobile Payment Applications

EasyChair Preprint no. 9181

Abstract

Applications that run on Android have more and more vulnerabilities that often lead to disclosures of personal information. Researchers have developed approaches to detect applications that are a
source of vulnerabilities. We propose a model for risk evaluation. This highlights the high rate of cryptographic misuse in mobile payment. For us, detecting it is important to assess the risk associated with the use of these APIs because this evaluation allows sensitizing developers in the
use of these different cryptographic APIs. To carry out this work, we have proposed a vulnerability analysis model that allows us to quantitatively and qualitatively assess the risks related to these misuses. The experiment was conducted using the enjarify,bytecode viewer tools. Payment applications were downloaded from Apk repositories and made usable by converting them into java classes. Also,
we used rules or criteria known to be vulnerable. So during the manual analysis, if one of the rules is found in an application, it is counted and so on until the list of rules is exhausted. Finally, from this analysis, we calculate the risks based on a proposed formula. At the end, we have grouped payment applications into three (3) categories, payment solutions (PS), payment applications that interact with bank accounts (APCB), and those that do not require a bank account (APNCB). As result, we have security risk values ranging from 0.39 - 8.39 for APCB, 0.6 - 2.67 for NBCAA, and 0.22 - 4.39 for PS.

Keyphrases: Cryptographic API, Mobile Payment Applications, risk assessment, Static Analysis.

@Booklet{EasyChair:9181,
  author = {Maharshi D'arunachala Zan and Franklin Tchakounté and Tiguiane Yélémou},
  title = {Security Risk Assessment Model for Cryptographic Algorithms Misuse in Mobile Payment Applications},
  howpublished = {EasyChair Preprint no. 9181},

  year = {EasyChair, 2022}}