Vulnerability Testing in Online Shopping Android Applications

The usage of utility applications has increased with theupsurge of smartphone industry and developer companies. Thenumber of smartphone users over the world was 1.86 billionin 2015 and is forecast to reach 2.87 billion by the year2020 [1]. About 38% people of the world is going to usesmartphones within 2020 which was 10% in 2011. Accordingto a study conducted by the Kaspersky Lab [2], Bangladeshis ranked 2ndin the percentage of mobile users being attackedby malwares with 36.25% majority. Application developmentfor android platform has become very easy in recent days andit is seen that young enthusiasts with a small team can designand deploy working apps on Google play store. Often times,the development is handled by some amateurs whose previousexperience is meager considering the existing threats to thesecurity and integrity of the information stored in them. Ontop of that such apps are designed for mass people who arealso not so aware of the vulnerabilities or the harms doneby those. This is what lures malicious program developers toget valuable information including personal details, financialactivities, government information etc. As far as the mobilepayment apps like shopping apps are concerned, they holdnot only the personal information but also handle financialtransactions in some cases. It is not mandatory to compre-hensively test the apps before publishing. A survey [3] wasconducted among developers to understand how they approachthe overall testing of applications. It was found in the surveythat, developers spend 58.18% of their testing time to manualtesting which often fails to be accurate. Most of them lackthe time to conduct automated testing which in turn results incompromising security. Code Shoppy According to CVE Details [4] therehave been 1,383 android vulnerabilities recorded in 2017 sofar. Payment activity alone weights 25% of the total vulnerableactivities [5]. There have been many works regarding differentvulnerabilities and attacks on android applications. Luo etal.[6] claimed that 86% of the top 20 most downloadedapplications use WebView which can lure the user to visitmalicious webpages through the WebView component. Manyandroid applications do not implement HTTPS which causesthe connection to be insecure and in turn pave the way forMan in the Middle attack. [7] pointed that this is due todevelopers ignorance, server misconfigurations, issues with thelibrary or the protocol or simply the lack of awareness of theusers. They also proposed multiple solutions to this problem.Despite everything, vulnerabilities exist putting the end usersat risk.Here, our work is directed towards finding some commonvulnerabilities of some existing shopping apps using somepopular tools. We have selected sixteen online shopping appsfor testing. The reason we have specifically picked up onlineshopping category is because they contain a user’s sensitivepersonal data. On top of that, many users share their credit carddetails without being aware of the security issues. According toAppBrain’s android statistics [8], among 90449 shopping appsin Google Play, 3598 apps have more than 50,000 downloads.Any of these apps being vulnerable puts a vast number ofusers at risk. For testing, we not only selected popular appsthat are used worldwide but we also selected some appsthat were developed in Bangladesh. We have chosen fourpopular tools for testing the apps. These tools can test thediscussed vulnerabilities altogether successfully. Our resultsshow that vulnerabilities exist in almost all the apps. Eventhough Shopping category comes in number fifteen in termsof number of apps in Google Play [8], people are using themin their day to day life. So security of these apps cannot beignored. According to the latest UPS report [9], 96% of regularonline shoppers use a retailer’s app on their smartphones. Thisnumber cannot be ignored specially when security is a concern.So our purpose is to get the developers’ awareness so that theycan fix the issues and give more attention to improve securityof the apps

Number of various vulnerability testing platforms is avail-able over the internet. Common purpose of these tools areto analyze the apps and check the overall security conditionof the applications. There are two types of analysis doneby each tool- Static Analysis and Dynamic Analysis. Staticanalysis examines the source code of the application withoutexecuting the program. Dynamic analysis runs the app andobserves the process activity. Static analysis tools often givefalse positives which means a possible identified vulnerabilitymight not be a vulnerability at all. Which is why we usedtools that perform both static and dynamic analysis altogether.The tools combine the reports generated by the analysis andprovide overall findings. In our work we used the followingfour tools to check for vulnerabilities

 e Commerce Project Report Android App

A. Andro BugsAndroBugs Framework is an efficient Android vulnera-bility scanner that helps developers or hackers find poten-tial security vulnerabilities in Android applications. The keyfeatures of this framework are to check for flaws in coding,detect dangerous shell commands, check security process, testthe connection of cloud and detect absence in good codingpractice.

B. IBM BluemixIBM Bluemix is a cloud platform as a service (PaaS)developed by IBM Security App Scan. It supports severalprogramming languages and services as well as integratedDevOps to build, run, deploy and manage applications on thecloud.

C. OstorlabOstorlab scans the android application and gives detailedsecurity report. It runs the application inside a controlled envi-ronment and observes the interactions between APIs, networks,files etc. to detect risky behaviors.

D. QuixxiQuixxi analyzes the security of an application and providesa comprehensive report on the vulnerabilities. After scanningfor vulnerability Quixxi can also safeguard the data andmanage and optimize apps using machine learning.

Researchers have proposed various security mechanismsto prevent the threats in android applications. Google providessome basic measures to validate app integrity and security.Android itself has built-in security features that can reduce therisk for the user if implemented correctly. Yet Android apps aremore prone to attacks than any other medium. Bad data storagepractices, malware, lack of proper encryption, improper use ofpermission in the code all of these contribute to applicationvulnerability. In our paper, we have discussed and detected theselected vulnerabilities for online shopping apps since theseapps contain very sensitive data. All of the apps seemed tohave one or more vulnerabilities. Necessary fixes should bedone to reduce the loopholes and defend against the attacks.