An investigation of the Online Payment and Banking System Apps in Bangladesh

TL;DR

This study analyzes 17 Bangladeshi online banking apps for security flaws using static and dynamic methods, revealing significant vulnerabilities and emphasizing the need for improved security standards adherence.

Contribution

First comprehensive security analysis of Bangladeshi online banking apps using open-source tools and manual review to identify compliance issues with global security standards.

Findings

Detected vulnerabilities in data storage and cryptography

Identified insecure network communications and unsafe WebView usage

Highlighted the need for manual review and standard compliance

Abstract

Presently, Bangladesh is expending substantial efforts to digitize its national infrastructure, with a significant emphasis on achieving this goal through mobile applications that facilitate online payments and banking system advancements. Despite the lack of knowledge about the security level of these systems, they are currently in frequent use without much consideration. To observe whether they follow the minimum global set standards, we choose to conduct static and dynamic analysis of the applications using available open-source analyzers and open-source tools. This allows us to attempt to extract sensitive information, if possible, and determine whether the applications adhere to the standards of MASVS set by OWASP. We show how we analyzed 17 .apks and a SDK using open source scanner and discover security flaws to the applications, such as weaknesses related to data storage, vulnerable cryptographic elements, insecure network communications, and unsafe utilization of WebViews, detected by the scanner. These outputs demonstrate the need for extensive manual analysis of the application through source code review and dynamic analysis. We further implement reverse engineering and dynamic approach to verify the outputs and expose some applications do not comply with the standard method of network communication. Moreover, we attempt to verify the rest of the potential vulnerabilities in the next phase of our ongoing investigation.