Skip to main content
SpringerLink
Log in

On the Struggle Bus: A Detailed Security Analysis of the m-tickets App

  • Conference paper
  • First Online:
Information Security (ISC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12472))

Included in the following conference series:

Abstract

The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator’s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator’s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    dex2jar Github, https://github.com/pxb1988/dex2jar.

  2. 2.

    Java Decompiler, http://java-decompiler.github.io/.

  3. 3.

    Xamarin, https://dotnet.microsoft.com/apps/xamarin.

  4. 4.

    dotPeek – Free .NET Decompiler and Assembly Browser, https://www.jetbrains.com/decompiler/.

  5. 5.

    Fida analyzer, https://frida.re/docs/android/.

  6. 6.

    Burp analyzer, https://portswigger.net/burp.

  7. 7.

    BradyBound, https://m.apkpure.com/bradybound/com.oxplot.bradybound.

  8. 8.

    Magisk, https://magiskmanager.com/.

References

  1. Corethree Website. https://www.corethree.net/

  2. Unpacking Xamarin mono DLL from libmonodroid\_bundle.app.so. https://reverseengineering.stackexchange.com/a/17330

  3. Accenture: Why humans are still security’s weakest link (May 2019)

    Google Scholar 

  4. Doomun, R., et al.: AES-CBC software execution optimization (August 2012)

    Google Scholar 

  5. Edinburgh News: Edinburgh commuters face more ticket app failures (September 2018)

    Google Scholar 

  6. Edinburgh Trams: TfE mtickets (August 2018). https://edinburghtrams.com/news/tfe-mtickets

  7. Google Play Store: Lothian buses m-tickets

    Google Scholar 

  8. Lindenberg, C., Wirt, K., Buchmann, J.: Formal proof for the correctness of RSA-PSS. IACR Cryptology ePrint Archive (January 2006)

    Google Scholar 

  9. Lothian Buses Limited: Consolidated financial statements 2018, 1st edn. (2019)

    Google Scholar 

  10. OWASP: Secure coding practices. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf

  11. Reddit: Activists release code to generate free public transportation tickets (2019). https://www.reddit.com/r/manchester/comments/cyefu5/activists_release_code_to_generate_free_public/

  12. Statista: Number of smartphone users worldwide from 2016 to 2021. https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/

  13. The Business Research Company: Transit and ground passenger transportation (public transport) global market briefing 2018, 1st edn. (2018)

    Google Scholar 

  14. The Telegraph: Public transport apps hacked to create free tickets and defraud operators (September 2019)

    Google Scholar 

  15. Wired: Hackers crack London tube’s ticketing system (June 2008). https://www.wired.com/2008/06/hackers-crack-l/

  16. Xu, Q., Erman, J., Gerber, A., Mao, Z., Pang, J., Venkataraman, S.: Identifying diverse usage behaviors of smartphone apps. In: ACM SIGCOMM IMC (2011)

    Google Scholar 

  17. Zalewski, J., et al.: Can we measure security and how? In: Proceedings of the Annual Workshop on Cyber Security and Information Intelligence Research (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Informatics, The University of Edinburgh, Edinburgh, UK

    Jorge Sanz Maroto, Haoyu Liu & Paul Patras

Authors
  1. Jorge Sanz Maroto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haoyu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paul Patras
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paul Patras .

Editor information

Editors and Affiliations

  1. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  3. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Yannan Li

  5. Informatics, Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sanz Maroto, J., Liu, H., Patras, P. (2020). On the Struggle Bus: A Detailed Security Analysis of the m-tickets App. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62974-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62973-1

  • Online ISBN: 978-3-030-62974-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation