Salatiel Ezennaya-Gomez, Edgar Blumenthal, Marten Eckardt, Justus Krebs, Christopher Kuo, Julius Porbeck, Emirkan Toplu, Stefan Kiltz, J. Dittmann
{"title":"Revisiting Online Privacy and Security Mechanisms Applied in the In-App Payment Realm from the Consumers’ Perspective","authors":"Salatiel Ezennaya-Gomez, Edgar Blumenthal, Marten Eckardt, Justus Krebs, Christopher Kuo, Julius Porbeck, Emirkan Toplu, Stefan Kiltz, J. Dittmann","doi":"10.1145/3538969.3543786","DOIUrl":null,"url":null,"abstract":"This paper presents an in-depth network data stream analysis on data gathering to evaluate the current data protection situation of online payment in smartphone applications. To this end, we applied a digital forensic methodology from previous work in the field, analyzing network traffic generated by applications during a purchase process. We revisit previous work’s results on browser-based payments and compare them to the current security and privacy situation of in-app payments in 2022. We study an exemplary selection of ten mobile apps and four payment systems often used by young consumers (i.e., between 20 and 25 years old): Paypal, Google Pay, Klarna, and Visa/Mastercard credit cards. Furthermore, we examine the apps concerning their trackers and applications’ privacy policies. For this purpose, we use OSINT sources to perform a static tracker analysis and their purposes based on privacy policy descriptions. Subsequently, we perform a dynamic analysis applying a man-in-the middle attack vector, which allows us to bypass the TLS encryption of the smartphone’s HTTPS traffic, and analyze the data stream payload. We repeatedly identify significant security vulnerabilities and how applications handling sensitive data do not follow standard recommendations in security and data protection regulations during the result analysis. Moreover, some data sharing is noticed, with sensitive data passed on to third parties. The data obtained can also be used in application fields, such as by a forensic expert in a financial crime case in steps of a forensic investigation.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 17th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3538969.3543786","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
This paper presents an in-depth network data stream analysis on data gathering to evaluate the current data protection situation of online payment in smartphone applications. To this end, we applied a digital forensic methodology from previous work in the field, analyzing network traffic generated by applications during a purchase process. We revisit previous work’s results on browser-based payments and compare them to the current security and privacy situation of in-app payments in 2022. We study an exemplary selection of ten mobile apps and four payment systems often used by young consumers (i.e., between 20 and 25 years old): Paypal, Google Pay, Klarna, and Visa/Mastercard credit cards. Furthermore, we examine the apps concerning their trackers and applications’ privacy policies. For this purpose, we use OSINT sources to perform a static tracker analysis and their purposes based on privacy policy descriptions. Subsequently, we perform a dynamic analysis applying a man-in-the middle attack vector, which allows us to bypass the TLS encryption of the smartphone’s HTTPS traffic, and analyze the data stream payload. We repeatedly identify significant security vulnerabilities and how applications handling sensitive data do not follow standard recommendations in security and data protection regulations during the result analysis. Moreover, some data sharing is noticed, with sensitive data passed on to third parties. The data obtained can also be used in application fields, such as by a forensic expert in a financial crime case in steps of a forensic investigation.