CDF: An Empirical Analysis of the Abuse Reporting Eco-System and Proposed Changes for More Robust Reporting

CDF: An Empirical Analysis of the Abuse Reporting Eco-System and Proposed Changes for More Robust Reporting CDF Membership: PayPal CDF Additional Core Project: PayPal The goal of this project is to deliver (1) an automated system that can detect misuses and security vulnerabilities in the usage of payment gateway APIs in mobile apps and (2) a report of running the tool on a corpus of over two million Android applications. In the first phase of the project, we need to create the ground truth about how developers and merchants utilize payment APIs in their apps. A number of payment gateways, such as Stripe and Braintree, will be considered while selecting the apps. Then, qualified apps from different categories and markets that use those payment gateways will be selected. We will create static analyses to run against the selected apps to find the configuration under which the apps are requesting and performing payment transactions. The aim of this process is to develop a better understanding of how real-world merchants and developers are integrating the payment capabilities into their apps and what security measures they are following to be compliance with PCI standards. There are more than two dozen payment gateways, and the aim of this phase is to develop a broader perspective of how the mobile payment gateways are providing their services to the merchants and how they differ in terms of security measures that they implement. There are two types of payment gateways: hosted payment gateways and integrated (non-hosted) payment gateways. The focus of this project is to study integrated payment gateways. The objective is to build an abstract model of how apps are utilizing payment gateway APIs, so that the model can be applied to all payment gateway APIs. Merchants and developers should comply with PCI DSS, and in this step, using the results and findings from previous phases, we will develop a unified threat model. We will create this threat model by studying the ecosystem and how entities in mobile payment ecosystem interact with one another. We will also identify risks associated with apps that use payment gateway API integration, such as, other apps on the device that leverage vulnerabilities in the app to access sensitive card data, or apps that lack the correct security measures that could lead to attackers sniffing the traffic and stealing sensitive information. Based on the threat model that we will establish, we will analyze and decode apps to identify potentially malicious apps and vulnerable apps that fit the model. At this step, we will form a set of experiments based on the threats we found and run them on the selected apps. After cre- ating and running the analysis, we will create a set of experiments that best detect the potential security flaws and vulnerabilities that exist in mobile applications that use payment gateways. The final phase of the project is to automate the procedure of detecting payment API mis- uses. We will build a tool that takes an app, or a set of apps, with payment gateway integration, analyzes the apps, and reports on the potential misuses or vulnerabilities in the app. For this project, we will leverage our dataset of two million Android apps that we have crawled from the Google Play store. In this way, we can run experiments that shed light on how the real-world apps on the market are integrating with payment gateway APIs. To tackle the real-world problems we need to collaborate with PayPal to better understand and identify real-world threats and challenges in the ecosystem and try to find their footprints in the app market.