Exploiting App Differences for Security Analysis of Multi-Geo Mobile Ecosystems

Abstract

Billions of users worldwide access essential Internet services such as banking, education, and healthcare through mobile apps on their phones. This growth in mobile use is fueled by the rise of large platforms that provide a common backend infrastructure to provide free services to users. These platforms drive entire ecosystems by allowing competing app developers to integrate their apps with their shared backends for users worldwide to consume and carry out billions of dollars in transactions. However, security and privacy vulnerabilities in these widely deployed ecosystems compromise millions worldwide. This dissertation raises this question and asserts that there is, in fact, a practice gap in the security and privacy offerings of widely deployed mobile ecosystems.

This thesis presents and discusses the security analysis of two of the world's largest mobile ecosystems: (i) Google Play for app distribution and (ii) the Unified Payments Interface (UPI) for free bank-to-bank micropayments. We make significant contributions by demonstrating how security analysis and measurements of these black-box systems can be made feasible at scale even within the confines of a severely fragmented ecosystem, despite having no sophisticated tools or access to their backend infrastructure. We reverse-engineer these security-hardened ecosystems across nation-state boundaries from the point of view of an attacker (or user) having access to multiple vantage points, specifically, multiple versions of highly-rated apps integrated with these platforms.

This thesis exposes critical and foundational flaws in these mobile ecosystems that expose millions of users to significant security and privacy threats, even when using highly-rated apps from official app markets. In our study of the UPI ecosystem (which first emerged as a regional ecosystem in India for payments), we expose severe flaws in the design of UPI's multi-factor authentication protocol as well as the payment apps integrated with UPI which, when combined with region-specific vulnerabilities, can enable an attacker to remotely launch large-scale attacks even without any knowledge of its user. Our disclosures led to the Indian Government acknowledging and addressing the core vulnerabilities we found, releasing an upgraded 2.0 version of the payments infrastructure. We also obtained several CVEs for our vulnerability disclosures on payment apps.

Through our empirical investigation of thousands of highly-rated, essential apps on Google Play from vantage points in 26 countries, we show how users in some countries are at a higher risk of attack because developers selectively release apps with weaker security settings or privacy disclosures. We uncover a significant amount of geoblocking of essential apps on Google Play that disproportionately isolates some countries; we root cause the actor responsible for it. We open-source our code and dataset, the largest multi-country app dataset, to foster further research. The concerns raised by this research were acknowledged by the highest levels of Google's privacy teams and covered by over 25 news websites worldwide.

Thus, this thesis shows how complex black-box ecosystems can be analyzed end-to-end despite the barriers to measuring them. Our experience with app disclosures reveals that the vulnerabilities we uncovered may take years to resolve. We provide several actionable recommendations for platform owners and developers to address the issues we find, such as removing barriers for the security community to audit these ecosystems, vetting apps for compliance with MITRE's recommendations for app developers, and performing end-to-end testing of apps from multiple vantage points.