An Investigation into Permissions Requested by Mobile Banking on Android Platform

Introduction

Mobile banking is simply the service that allow a mobile customer to use freely his bank account for different services (Pousttchi & Schurig, 2004). The credit for success of mobile banking is due to its convenience, ease of use, ubiquity and reliability. This leads to the presence of confidential information belong to Mobile Banking users. So, it is a requirement to secure the users data in order to prevent the hacker from attacking and stealing sensitive data. The consumers percentage who use mobile banking have increased over the past years and continues to grow in the world and even in developing countries like Morocco. In fact, most banks in Morocco have added the mobile channel as an additional information channel. However, the transactional services provided to clients have low-income. Even for AttijariWafa Bank and Albarid Bank that are the leaders of the mobile financial services development (Final Report Mobile financial services in Mediterranean Partner Countries, 2012). In the 2015 survey, the mobile banking continued to rise, reaching to 43% of mobile-phone users with bank accounts and 23% of smartphone users with bank accounts (Board Of Governors of the Federal Reserve System, 2012).

To alert users about the security and privacy ramifications of installing an application, whether banking or otherwise, Android uses Mandatory Access Control (MAC) (Paraboschi, Bacis, & Mutti, 2015), which means that at the time of installation, an application must request permission to access to system resources such as the user's location, Internet or cellular network. So, an interface appears to the user, which allows him either to accept all the requested permissions or to cancel the installation since it is not possible to selectively accept or refuse them. Thus, many users simply accept these authorization requests without considering their implications, which put their private data in the danger zone. Like Android, the iOS system uses a permissions-based model for each application. The deference is that in the iOS system, the user can download an application and decide which permissions the application can use. In Android, the user must agree to allow access to all permissions requested by the app before downloading and he cannot disable any authorization once the application is installed. The opposite is true in the iOS system (Au, Zhou, Huang, Gill, & Lie, 2011). The permissions required by an application can endanger the user when using this application. Mobile users are concerned but often do not understand the security risks that might be involved when making financial transactions via a mobile application because of permissions granted to it.

In this research, we focus on Android mobile banking application permissions and their relation with Man-In-The-Mobile attacks.

In summary, in this article, we make the following contributions:

• 1.

  We describe the permissions requested during installation by mobile banking application for the Android platform. And we show to what extent these permissions can be very dangerous for the data exchanged during the execution of banking transactions. And to better explain this danger, we give as an example the attack called “Man-in-the-Phone” that can take advantage of these permissions to perform malicious actions.

• 2.

  We show that sometimes the permissions requested by mobile banking applications have no relation to the features and services provided by them. And to prove this idea, we compare two applications for the two leaders of mobile banking in Morocco.

• 3.

  We present the scan result of a set of applications from around 100 apps collect from Google Play Store. For ease and speed of the analysis task, we used our tool called “PerUpSecure” that we developed in order to analyze the permissions requested by Android applications before authorizing their installations.