Skip to main content
SpringerLink
Log in

Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

Although mobile shopping has risen rapidly as mobile devices become the dominant portal to the Internet, it remains challenging for a developer of mobile shopping Apps to implement a correct and secure payment protocol. This can be partly attributed to the misunderstanding, confusion of responsibility and implicit assumptions among multiple separate participants of the payment protocols, which involve at least users, merchants and third-party cashiers (e.g., PayPal). In addition, the documentation of the payment SDK which is written in informal natural languages is often inaccurate, ambiguous and incomplete, such that the developers might be confused. In this paper, we seek to infer the correct usage and hidden assumptions of the most commonly used mobile payment libraries, i.e., PayPal and Visa Checkout. Our approach starts with building mobile checkout systems strictly following the documents of PayPal SDK and Visa Checkout SDK. Afterwards, we propose an algorithm to automatically generate test cases embedding different attacker models to check the correctness and security of the payment procedure. During the testing, our algorithm analyzes the security violations so as to infer the correct usage of these payment libraries. Using our approach, we have successfully found several non-trivial hidden assumptions and bugs in these two payment libraries.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    User of the merchant App, i.e., customer.

  2. 2.

    In this paper, we use merchant App to indicate the front-end App running on customer’s mobile device and merchant server the back-end server.

  3. 3.

    Capture is a term used in the PayPal documentation, meaning that the merchant completes/cashes the payment.

  4. 4.

    We find that this rule also applies for Visa Checkout, in which there is no immediate payment, and the merchant is required to actively capture the payment.

  5. 5.

    The portion of code that is implemented by merchant developers which is representing with a carte label in Fig. 1.

  6. 6.

    The order contains the items the user has ordered and the prices of the items.

References

  1. Create and process orders (2016). https://developer.paypal.com/webapps/developer/docs/integration/direct/create-process-order/. Accessed Aug 2016

  2. Future payments mobile integration (2016). https://github.com/paypal/PayPal-Android-SDK/blob/master/docs/future_payments_mobile.md. Accessed Aug 2016

  3. Paypal sandbox testing guide (2016). https://developer.paypal.com/docs/classic/lifecycle/ug_sandbox/. Accessed Aug 2016

  4. Authorization and Capture (2016). https://developer.paypal.com/docs/classic/admin/auth-capture/. Accessed Aug 2016

  5. Bai, G., Ye, Q., Wu, Y., Merwe, H., Sun, J., Liu, Y., Dong, J.S., Visser, W.: Towards model checking android applications. IEEE Trans. Software Eng. PP, 1 (2017)

    Article  Google Scholar 

  6. Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: Authscan: automatic extraction of web authentication protocols from implementations. In: 20th Annual Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

  7. Bai, G., Sun, J., Wu, J., Ye, Q., Li, L., Dong, J.S., Guo, S.: All your sessions are belong to us: investigating authenticator leakage through backup channels on android. In: 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 60–69. IEEE (2015)

    Google Scholar 

  8. ML Communication: Proxydroid (2017). https://play.google.com/store/apps/details?id=org.proxydroid&hl=en. Accessed 7 Aug 2017

  9. Denale, R.: U.S. census bureau news-quarterly retail e-commerce sales, 17 May 2016. https://www.census.gov/retail/mrts/www/data/pdf/ec_current.pdf. Accessed Aug 2016

  10. Jones, M., Hardt, D.: The OAuth 2.0 authorization framework: Bearer token usage. Technical report (2012)

    Google Scholar 

  11. Josefsson, S.: The base16, base32, and base64 data encodings (2006)

    Google Scholar 

  12. Meola, A.: The rise of m-commerce: mobile shopping stats and trends, December 2016

    Google Scholar 

  13. Oberheide, J., Jahanian, F.: When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems and Applications, pp. 43–48. ACM (2010)

    Google Scholar 

  14. Pellegrino, G., Balzarotti, D.: Toward black-box detection of logic flaws in web applications. In: 21st Annual Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  15. Sudhodanan, A., Armando, A., Carbone, R., Compagna, L.: Attack patterns for black-box security testing of multi-party web applications. In: 23rd Annual Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  16. Sun, F., Xu, L., Su, Z.: Detecting logic vulnerabilities in e-commerce applications. In: 21st Annual Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  17. Wang, R., Chen, S., Wang, X., Qadeer, S.: How to shop for free online-security analysis of cashier-as-a-service based web stores. In: IEEE Symposium on Security and Privacy, pp. 465–480. IEEE (2011)

    Google Scholar 

  18. Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: uncovering assumptions underlying secure authentication and authorization. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 399–314 (2013)

    Google Scholar 

  19. Yang, W., Zhang, Y., Li, J., Liu, H., Wang, Q., Zhang, Y., Gu, D.: Show me the money! Finding flawed implementations of third-party in-app payment in android apps (2017)

    Google Scholar 

  20. Ye, Q., Bai, G., Wang, K., Dong, J.S.: Formal analysis of a single sign-on protocol implementation for android. In: 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 90–99. IEEE (2015)

    Google Scholar 

Download references

Acknowledgement

We thank all the anonymous reviewers and our shepherd Dr. Xiao Zhang for their invaluable comments and guidance in revising this paper. This research is supported (in part) by the National Research Foundation, Prime Minister’s Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-30) and administered by the National Cybersecurity R&D Directorate.

Author information

Authors and Affiliations

  1. National University of Singapore, Singapore, Singapore

    Quanqi Ye, Naipeng Dong & Jin Song Dong

  2. Singapore Institute of Technology, Singapore, Singapore

    Guangdong Bai

  3. Griffith University, Nathan, Australia

    Jin Song Dong

Authors
  1. Quanqi Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangdong Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Naipeng Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jin Song Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guangdong Bai .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ye, Q., Bai, G., Dong, N., Dong, J.S. (2018). Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation