Inferring implicit assumptions and correct usage of mobile payment protocols

Quanqi Ye; Guangdong Bai; Naipeng Dong; Jin Song Dong

doi:10.1007/978-3-319-78813-5_24

Inferring implicit assumptions and correct usage of mobile payment protocols

Quanqi Ye
, Guangdong Bai
, Naipeng Dong
, Jin Song Dong

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

2 Citations (Scopus)

Abstract

Although mobile shopping has risen rapidly as mobile devices become the dominant portal to the Internet, it remains challenging for a developer of mobile shopping Apps to implement a correct and secure payment protocol. This can be partly attributed to the misunderstanding, confusion of responsibility and implicit assumptions among multiple separate participants of the payment protocols, which involve at least users, merchants and third-party cashiers (e.g., PayPal). In addition, the documentation of the payment SDK which is written in informal natural languages is often inaccurate, ambiguous and incomplete, such that the developers might be confused. In this paper, we seek to infer the correct usage and hidden assumptions of the most commonly used mobile payment libraries, i.e., PayPal and Visa Checkout. Our approach starts with building mobile checkout systems strictly following the documents of PayPal SDK and Visa Checkout SDK. Afterwards, we propose an algorithm to automatically generate test cases embedding different attacker models to check the correctness and security of the payment procedure. During the testing, our algorithm analyzes the security violations so as to infer the correct usage of these payment libraries. Using our approach, we have successfully found several non-trivial hidden assumptions and bugs in these two payment libraries. © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
Publisher	Springer Verlag
Pages	469-488
Volume	238
ISBN (Print)	9783319788128
DOIs	https://doi.org/10.1007/978-3-319-78813-5_24
Publication status	Published - 2018
Externally published	Yes
Event	13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 - [state] ON, Canada Duration: 22 Oct 2017 → 25 Oct 2017

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	238
ISSN (Print)	1867-8211

Conference

Conference	13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
Place	Canada
City	[state] ON
Period	22/10/17 → 25/10/17

Bibliographical note

Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].

Funding

We thank all the anonymous reviewers and our shepherd Dr. Xiao Zhang for their invaluable comments and guidance in revising this paper. This research is supported (in part) by the National Research Foundation, Prime Minister’s Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-30) and administered by the National Cybersecurity R&D Directorate.

Research Keywords

Mobile payment
Payment protocol
Protocol extraction

Access Output

10.1007/978-3-319-78813-5_24

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Ye, Q., Bai, G., Dong, N., & Dong, J. S. (2018). Inferring implicit assumptions and correct usage of mobile payment protocols. In Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings (Vol. 238, pp. 469-488). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238). Springer Verlag. https://doi.org/10.1007/978-3-319-78813-5_24

Ye, Quanqi ; Bai, Guangdong ; Dong, Naipeng et al. / Inferring implicit assumptions and correct usage of mobile payment protocols. Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Vol. 238 Springer Verlag, 2018. pp. 469-488 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{59fdecb912ad4229bfdb1f371e37e39a,

title = "Inferring implicit assumptions and correct usage of mobile payment protocols",

abstract = "Although mobile shopping has risen rapidly as mobile devices become the dominant portal to the Internet, it remains challenging for a developer of mobile shopping Apps to implement a correct and secure payment protocol. This can be partly attributed to the misunderstanding, confusion of responsibility and implicit assumptions among multiple separate participants of the payment protocols, which involve at least users, merchants and third-party cashiers (e.g., PayPal). In addition, the documentation of the payment SDK which is written in informal natural languages is often inaccurate, ambiguous and incomplete, such that the developers might be confused. In this paper, we seek to infer the correct usage and hidden assumptions of the most commonly used mobile payment libraries, i.e., PayPal and Visa Checkout. Our approach starts with building mobile checkout systems strictly following the documents of PayPal SDK and Visa Checkout SDK. Afterwards, we propose an algorithm to automatically generate test cases embedding different attacker models to check the correctness and security of the payment procedure. During the testing, our algorithm analyzes the security violations so as to infer the correct usage of these payment libraries. Using our approach, we have successfully found several non-trivial hidden assumptions and bugs in these two payment libraries. {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.",

keywords = "Mobile payment, Payment protocol, Protocol extraction",

author = "Quanqi Ye and Guangdong Bai and Naipeng Dong and Dong, \{Jin Song\}",

note = "Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].; 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 ; Conference date: 22-10-2017 Through 25-10-2017",

year = "2018",

doi = "10.1007/978-3-319-78813-5\_24",

language = "English",

isbn = "9783319788128",

volume = "238",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Verlag",

pages = "469--488",

booktitle = "Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings",

address = "Germany",

}

Ye, Q, Bai, G, Dong, N & Dong, JS 2018, Inferring implicit assumptions and correct usage of mobile payment protocols. in Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. vol. 238, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 238, Springer Verlag, pp. 469-488, 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017, [state] ON, Canada, 22/10/17. https://doi.org/10.1007/978-3-319-78813-5_24

Inferring implicit assumptions and correct usage of mobile payment protocols. / Ye, Quanqi; Bai, Guangdong; Dong, Naipeng et al.
Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Vol. 238 Springer Verlag, 2018. p. 469-488 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Inferring implicit assumptions and correct usage of mobile payment protocols

AU - Ye, Quanqi

AU - Bai, Guangdong

AU - Dong, Naipeng

AU - Dong, Jin Song

N1 - Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].

PY - 2018

Y1 - 2018

N2 - Although mobile shopping has risen rapidly as mobile devices become the dominant portal to the Internet, it remains challenging for a developer of mobile shopping Apps to implement a correct and secure payment protocol. This can be partly attributed to the misunderstanding, confusion of responsibility and implicit assumptions among multiple separate participants of the payment protocols, which involve at least users, merchants and third-party cashiers (e.g., PayPal). In addition, the documentation of the payment SDK which is written in informal natural languages is often inaccurate, ambiguous and incomplete, such that the developers might be confused. In this paper, we seek to infer the correct usage and hidden assumptions of the most commonly used mobile payment libraries, i.e., PayPal and Visa Checkout. Our approach starts with building mobile checkout systems strictly following the documents of PayPal SDK and Visa Checkout SDK. Afterwards, we propose an algorithm to automatically generate test cases embedding different attacker models to check the correctness and security of the payment procedure. During the testing, our algorithm analyzes the security violations so as to infer the correct usage of these payment libraries. Using our approach, we have successfully found several non-trivial hidden assumptions and bugs in these two payment libraries. © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

AB - Although mobile shopping has risen rapidly as mobile devices become the dominant portal to the Internet, it remains challenging for a developer of mobile shopping Apps to implement a correct and secure payment protocol. This can be partly attributed to the misunderstanding, confusion of responsibility and implicit assumptions among multiple separate participants of the payment protocols, which involve at least users, merchants and third-party cashiers (e.g., PayPal). In addition, the documentation of the payment SDK which is written in informal natural languages is often inaccurate, ambiguous and incomplete, such that the developers might be confused. In this paper, we seek to infer the correct usage and hidden assumptions of the most commonly used mobile payment libraries, i.e., PayPal and Visa Checkout. Our approach starts with building mobile checkout systems strictly following the documents of PayPal SDK and Visa Checkout SDK. Afterwards, we propose an algorithm to automatically generate test cases embedding different attacker models to check the correctness and security of the payment procedure. During the testing, our algorithm analyzes the security violations so as to infer the correct usage of these payment libraries. Using our approach, we have successfully found several non-trivial hidden assumptions and bugs in these two payment libraries. © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

KW - Mobile payment

KW - Payment protocol

KW - Protocol extraction

UR - https://www.scopus.com/pages/publications/85045994426

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85045994426&origin=recordpage

U2 - 10.1007/978-3-319-78813-5_24

DO - 10.1007/978-3-319-78813-5_24

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9783319788128

VL - 238

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 469

EP - 488

BT - Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings

PB - Springer Verlag

T2 - 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017

Y2 - 22 October 2017 through 25 October 2017

ER -

Ye Q, Bai G, Dong N, Dong JS. Inferring implicit assumptions and correct usage of mobile payment protocols. In Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Vol. 238. Springer Verlag. 2018. p. 469-488. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-319-78813-5_24

Inferring implicit assumptions and correct usage of mobile payment protocols

Abstract

Publication series

Conference

Bibliographical note

Funding

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this