An investigation of the Online Payment and Banking System Apps in Bangladesh
- URL: http://arxiv.org/abs/2407.07766v1
- Date: Wed, 10 Jul 2024 15:43:45 GMT
- Title: An investigation of the Online Payment and Banking System Apps in Bangladesh
- Authors: Shahriar Hasan Mickey, Muhammad Nur Yanhaona,
- Abstract summary: Bangladesh is expending substantial efforts to digitize its national infrastructure.
Despite the lack of knowledge about the security level of these systems, they are currently in frequent use without much consideration.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Presently, Bangladesh is expending substantial efforts to digitize its national infrastructure, with a significant emphasis on achieving this goal through mobile applications that facilitate online payments and banking system advancements. Despite the lack of knowledge about the security level of these systems, they are currently in frequent use without much consideration. To observe whether they follow the minimum global set standards, we choose to conduct static and dynamic analysis of the applications using available open-source analyzers and open-source tools. This allows us to attempt to extract sensitive information, if possible, and determine whether the applications adhere to the standards of MASVS set by OWASP. We show how we analyzed 17 .apks and a SDK using open source scanner and discover security flaws to the applications, such as weaknesses related to data storage, vulnerable cryptographic elements, insecure network communications, and unsafe utilization of WebViews, detected by the scanner. These outputs demonstrate the need for extensive manual analysis of the application through source code review and dynamic analysis. We further implement reverse engineering and dynamic approach to verify the outputs and expose some applications do not comply with the standard method of network communication. Moreover, we attempt to verify the rest of the potential vulnerabilities in the next phase of our ongoing investigation.
Related papers
- Static Detection of Filesystem Vulnerabilities in Android Systems [18.472695251551176]
We present PathSentinel, which overcomes the limitations of previous techniques by combining static program analysis and access control policy analysis.
By unifying program and access control policy analysis, PathSentinel identifies attack surfaces accurately and prunes many impractical attacks.
To streamline vulnerability validation, PathSentinel leverages large language models (LLMs) to generate targeted exploit code.
arXiv Detail & Related papers (2024-07-15T23:10:52Z) - "Glue pizza and eat rocks" -- Exploiting Vulnerabilities in Retrieval-Augmented Generative Models [74.05368440735468]
Retrieval-Augmented Generative (RAG) models enhance Large Language Models (LLMs)
In this paper, we demonstrate a security threat where adversaries can exploit the openness of these knowledge bases.
arXiv Detail & Related papers (2024-06-26T05:36:23Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - Using Program Knowledge Graph to Uncover Software Vulnerabilities [0.0]
A knowledge graph constructed with information extracted from the system along with the desired security behavior can be utilized to identify complex security vulnerabilities hidden underneath the systems.
We present a novel approach of using Program Knowledge Graph that is embedded with fine-grained execution information of the systems.
arXiv Detail & Related papers (2023-12-08T03:38:43Z) - Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach [0.0]
Application Programming Interfaces (APIs) are becoming increasingly popular to transfer data in a variety of mobile applications.
These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer mis implementation.
This paper created a custom, modular endpoint vulnerability detection tool to analyze information leakage in various mobile Android applications.
arXiv Detail & Related papers (2023-10-22T00:08:51Z) - Not what you've signed up for: Compromising Real-World LLM-Integrated
Applications with Indirect Prompt Injection [64.67495502772866]
Large Language Models (LLMs) are increasingly being integrated into various applications.
We show how attackers can override original instructions and employed controls using Prompt Injection attacks.
We derive a comprehensive taxonomy from a computer security perspective to systematically investigate impacts and vulnerabilities.
arXiv Detail & Related papers (2023-02-23T17:14:38Z) - AdvCat: Domain-Agnostic Robustness Assessment for Cybersecurity-Critical
Applications with Categorical Inputs [29.907921481157974]
robustness against adversarial attacks is one of the key trust concerns for Machine Learning deployment.
We propose a provably optimal yet highly efficient adversarial robustness assessment protocol for a wide band of ML-driven cybersecurity-critical applications.
We demonstrate the use of the domain-agnostic robustness assessment method with substantial experimental study on fake news detection and intrusion detection problems.
arXiv Detail & Related papers (2022-12-13T18:12:02Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z) - Survey of Network Intrusion Detection Methods from the Perspective of
the Knowledge Discovery in Databases Process [63.75363908696257]
We review the methods that have been applied to network data with the purpose of developing an intrusion detector.
We discuss the techniques used for the capture, preparation and transformation of the data, as well as, the data mining and evaluation methods.
As a result of this literature review, we investigate some open issues which will need to be considered for further research in the area of network security.
arXiv Detail & Related papers (2020-01-27T11:21:05Z) - A Content-Based Deep Intrusion Detection System [12.590415345079995]
We propose a framework, called deep intrusion detection (DID) system, that uses the pure content of traffic flows in addition to traffic metadata.
To this end, we deploy and evaluate an offline IDS following the framework using LSTM as a deep learning technique.
arXiv Detail & Related papers (2020-01-14T19:08:57Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.