Detection of Integrity Attacks on Permissions of Android-Based Mobile Apps: Security Evaluation on PayPal

The objective of this paper is to detect unauthorized modifications to genuine permissions of legitimate Android-based mobile apps in real-time, with demonstration on PayPal payment gateway mobile app. The scientific value of this work lies in finding a remedy for lack of binary protection vulnerability in Android-based mobile apps. The motivation behind conducting this research on PayPal is because of its widespread popularity, and the reported increase in the attacks targeting Android apps along with the sensitive nature of payment gateway mobile apps. This paper proposes an anti-circumvention security approach called Android Apps Permissions Integrity Verifier (AAPIV) to achieve the desired goal. AAPIV captures and computes the authentic unique 256-bit hash of the AndroidManifest.xml file of a legitimate Android-based mobile app. An app’s permissions are registered in AndroidManifest.xml file in its Android Package Kit file. AAPIV stores the computed hash in its cloud-based database server. For every access request to the data stored in the database server of the mobile app service provider, the 256-bit hash of the AndroidManifest.xml file of the requesting app is captured, extracted, computed, and verified for authenticity against that stored in AAPIV’s cloud-based database server. In case both hashes are identical, this denotes a legitimate access request from an authentic mobile app, and accordingly the access request is allowed, otherwise the access request is denied. An experimental security evaluation was applied on PayPal Android-based payment gateway mobile app. It demonstrated that AAPIV effectively achieved its intended objective.