Android应用第三方支付流程的缺陷检测
首发时间:2019-01-11
摘要:随着移动智能终端和移动互联网的飞速发展,移动支付越来越普及。第三方支付作为移动支付的主要方式发展异常迅速,越来越多的应用通过集成第三方支付平台提供的第三方SDK为用户提供支付服务。由于第三方支付流程较为复杂和敏感,同时应用开发者缺乏良好的安全开发实践,应用支付仍面临许多安全问题。本文基于主流的Android平台,通过调研第三方支付平台的支付流程,分析应用开发者实现第三方支付流程可能出现的安全缺陷和安全问题。本文将第三方支付流程分为应用下单和订单支付两个阶段,发现通信信息的加密和验证、生成订单和订单签名的位置,密钥的存放位置等都是第三方支付流程中非常重要的安全因素。如果应用开发者不注重这些安全因素则可能造成对应的安全缺陷,从而带来订单篡改、订单伪造、未授权查询和订单替换等安全问题。论文通过实验对安全缺陷进行检测,检测结果显示第三方支付功能集成在应用中较为普及,很多集成第三方支付功能的应用存在不同程度的安全缺陷。
For information in English, please click here
Defect Detection of Third Party Payment Processes in Android Applications
Abstract:With the rapid development of mobile intelligent terminals and mobile Internet, mobile payment is becoming more and more popular. As the main way of mobile payment, third-party payment develops rapidly. More and more applications provide payment services for users by integrating third-party SDK provided by third-party payment platform. Due to the complexity and sensitivity of the third-party payment process and the lack of good security development practice by application developers, application payment still faces many security problems. Based on the mainstream Android platform, this paper investigates the payment process of the third-party payment platform, and analyses the possible security defects and security problems of the third-party payment process implemented by application developers. In this paper, the third-party payment process is divided into two stages: application order and order payment. It is found that the encryption and verification of communication information, the location of order generation and order signature, and the location of key storage are all very important security factors in the third-party payment process. If the application developer does not pay attention to these security factors, it may cause corresponding security defects, resulting in security problems such as order tampering, order forgery, unauthorized query and order replacement. This paper tests the security defects through experiments. The test results show that the integration of third-party payment function is more popular in the application. Many applications that integrate third-party payment function have different degrees of security defects.
Keywords: Android Third Party Payment Defect Detection
基金:
引用
No.****
动态公开评议
共计0人参与
勘误表
Android应用第三方支付流程的缺陷检测
评论
全部评论0/1000