Defect Detection of Third Party Payment Processes in Android Applications

• 1、Cyberspace Security School, Beijing University of Posts and Telecommunications, Beijing 100876

Abstract：With the rapid development of mobile intelligent terminals and mobile Internet, mobile payment is becoming more and more popular. As the main way of mobile payment, third-party payment develops rapidly. More and more applications provide payment services for users by integrating third-party SDK provided by third-party payment platform. Due to the complexity and sensitivity of the third-party payment process and the lack of good security development practice by application developers, application payment still faces many security problems. Based on the mainstream Android platform, this paper investigates the payment process of the third-party payment platform, and analyses the possible security defects and security problems of the third-party payment process implemented by application developers. In this paper, the third-party payment process is divided into two stages: application order and order payment. It is found that the encryption and verification of communication information, the location of order generation and order signature, and the location of key storage are all very important security factors in the third-party payment process. If the application developer does not pay attention to these security factors, it may cause corresponding security defects, resulting in security problems such as order tampering, order forgery, unauthorized query and order replacement. This paper tests the security defects through experiments. The test results show that the integration of third-party payment function is more popular in the application. Many applications that integrate third-party payment function have different degrees of security defects.

Keywords： Android Third Party Payment Defect Detection