Abstract
Apps in the FINANCE category constitute approximately 2% of the 2,000,000 apps in the Google Play Store. These apps handle extremely sensitive data, such as online banking credentials, budgets, salaries, investments and the like. Although apps are automatically vetted for malicious activity before being admitted to the Google Play Store, it remains unclear whether app developers themselves check their apps for vulnerabilities before submitting them to be published. Additionally, it is not known how financial apps compare to other apps in terms of dangerous permission usage or how they evolve as they are updated. We analyse 10,400 apps to understand how apps in general and financial apps in particular have evolved over the past two years in terms of dangerous permission usage and the vulnerabilities they contain. Worryingly, we discover that both financial and non-financial apps are getting more vulnerable over time. Moreover, we discover that while financial apps tend to have less vulnerabilities, the rate of increase in vulnerabilities in financial apps is three times as much as that of other apps.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We consider financial apps to be those apps listed in the Google Play Store under the FINANCE category.
- 2.
Dangerous permissions guard access to sensitive user data and must be requested by apps and approved by users before the relevant data can be accessed [3].
- 3.
Our app metadata is available to the research community upon request.
References
AndroBugs Framework. https://github.com/AndroBugs/AndroBugs_Framework
Mobile Security Framework. https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
Requesting Permissions. https://developer.android.com/guide/topics/permissions/ requesting.html
BBA: Mobile phone apps become the UK’s number one way to bank, June 2015. https://www.bba.org.uk/news/press-releases/mobile-phone-apps-become-the-uks-number-one-way-to-bank/
Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of Android ad library permissions. arXiv preprint arXiv:1303.0857 (2013)
Carbunar, B., Potharaju, R.: A longitudinal study of the Google app market. In: 2015 Proceedings of the 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2015, pp. 242–249. ACM, New York (2015)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 50–61. ACM, New York (2012)
Finance Monthly. Banking and finance app usage rises 17 class customers, July 2016. http://www.finance-monthly.com/2016/07/banking-and-finance-app-usage-rises-17-amongst-affluent-middle-class-customers-sounding-a-warning-shot-for-loyalty-initiatives/
Gartner: Gartner Says Emerging Markets Drove Worldwide Smartphone Sales to 15.5 Percent Growth in Third Quarter of 2015, November 2015. http://www.gartner.com/newsroom/id/3169417
Google Inc., Apps And Mobile Sites: Consumption Across Finance, Retail And Travel, March 2016. https://www.thinkwithgoogle.com/intl/en-gb/research-studies/apps-and-mobile-sites-consumption-across-finance-retail-and-travel.html
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)
Lins, M.: Google Play Apps Crawler. https://github.com/MarcelloLins/ GooglePlayAppsCrawler
Nielson: Smartphones: So Many Apps, So Much Time, July 2014. http://www.nielsen.com/us/en/insights/news/2014/smartphones-so-many-apps-so-much-time.html
OWASP: Projects/OWASP Mobile Security Project - Top Ten Mobile Risks. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Viennot, N., Garcia, E., Nieh, J.: A measurement study of Google play. In: The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS 2014, pp. 221–233. ACM, New York, NY, USA (2014)
Acknowledgement
Vincent F. Taylor is supported by the UK EPSRC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Taylor, V.F., Martinovic, I. (2017). Short Paper: A Longitudinal Study of Financial Apps in the Google Play Store. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-70972-7_16
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70971-0
Online ISBN: 978-3-319-70972-7
eBook Packages: Computer ScienceComputer Science (R0)