PayScan: Detection and Security Analysis of Payment Libraries in Android Apps

PayScan: Detection and Security Analysis of Payment Libraries in Android Apps

연구 분야: Infrastructure

학회: International Journal of Information Security

Third-party payment libraries (TPLs) are widely used in Android applications to facilitate in-app transactions, yet their security implications remain largely underexplored. In this paper, we present a novel approach for automated detection and security analysis of payment libraries in Android applications. Our tool, PayScan, employs byte-pattern analysis and heuristic scanning techniques to identify TPLs and then it assesses their security posture. Additionally, the tool integrates three independent security scanners. We analyzed a dataset of 10,553 Android applications, detecting 18 payment libraries and evaluating their security and privacy risks. Our findings indicate that 71.7% of applications use outdated payment libraries, with some SDK versions being over four years old. Additionally, we identified 397 private key leaks across 212 applications. The security scanners detected over 20,000 vulnerabilities, including critical issues such as SSL misconfigurations, WebView XSS, and weak cryptographic implementations. We compare our detection approach against LibScout and LibRadar, demonstrating its practical performance in detecting payment libraries, including in obfuscated applications. This study reveals important security risks in mobile payment ecosystems and emphasizes the value of continued monitoring of third-party payment libraries. The proposed tool offers a scalable solution for detection and analysis, providing practical utility for researchers, developers, and auditors focused on financial application security.