Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps

Abstract

To protect customers' sensitive information, many mobile financial applications include steps to probe the runtime environment and abort their execution if the environment is deemed to have been tampered with. This paper investigates the security of such self-defense mechanisms used in 76 popular financial Android apps in Republic of Korea. Our investigations found that existing tools fail to analyze these Android apps effectively because of their highly obfuscated code and complex, non-traditional control flows. We overcome this challenge by extracting a call graph with a self-defense mechanism, from a detailed runtime trace record of a target apps execution to generate. To generate the call graph, we use the causality between the Android APIs and system calls used for integrity checks and for alert dialogs, or to kill the app itself. Our analysis of 76 apps shows that once we obtain a causality graph, we can pinpoint methods to bypass most self-defense mechanisms. We successfully bypassed 67 out of 73 apps that check the platform integrity and 39 out of 44 apps that check the binary integrity of the host app, which shows the inefficiency of checking the integrity at the app level. We also present in-depth studies of the top five security libraries used in the aforementioned apps to provide their self-defense mechanisms and their weaknesses. Because financial mobile applications should not run during tampered runtimes, our results clearly demonstrate the necessity of a platform-level solution for integrity checks.