Impact Factor (2025): 6.9
DOI Prefix: 10.47001/IRJIET
Impact Factor (2025): 6.9
DOI Prefix: 10.47001/IRJIET
In response
to the Central Bank of Sri Lanka's (CBSL) regulations governing mobile payment
applications across various scenarios, this research introduces "MOBY
GUARD," an Autonomous CBSL Mobile Security Compliance Solution. CBSL
mandates compliance for new mobile payment services, service modifications,
security breaches, CBSL-initiated assessments, payment gateway provider assessments,
and general regulatory alignment. Traditionally, mobile application vendors
developed their applications and sought external organizations to assess
compliance with CBSL guidelines, permitting publication on platforms like the
Google Play Store. However, MOBY GUARD presents an innovative approach,
enabling payment-related mobile application owners to autonomously perform CBSL
security compliance assessments. This eliminates third-party involvement,
reducing time and cost overheads. By enabling in-house security checks, MOBY
GUARD enhances efficiency, allowing for more frequent and thorough security
evaluations. Focusing on Android applications for the Google Play Store, the
project addresses 86 CBSL compliance requirements, prioritizing the three most
critical ones. These components encompass root detection, code integrity
checks, SSL pinning, and Smali code modifications. This approach proactively
strengthens the security of payment-related mobile applications while
optimizing the compliance process.
Country : Sri Lanka
IRJIET, Volume 7, Issue 11, November 2023 pp. 57-62
|
[1] |
C. B. o. S. Lanka, "cbsl.gov.lk," 2020. [Online]. Available:
https://www.cbsl.gov.lk/sites/default/files/cbslweb_documents/laws/cdg/psd_guideline_no_1_of_2020_e.pdf. |
|
[2] |
indusface, "How to Implement Root Detection in Android
Applications," [Online]. Available:
https://www.indusface.com/learning/how-to-implement-root-detection-in-android-applications/. |
|
[3] |
Long Nguyen-Vul, Ngoc-Tu Chau, Seongeun Kang, "Android Rooting: An
Arms Race between Evasion and Detection," 29 Oct 2017. [Online]. Available:
https://www.hindawi.com/journals/scn/2017/4121765/. |
|
[4] |
"Detecting Magisk Hide," 4 November , 2019. [Online].
Available:
https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/. |
|
[5] |
"What is mobile application hardening?," [Online]. Available:
https://cybersecurity.asee.co/mobile-application-hardening/. |
|
[6] |
"The internals of Android APK build process," 7 Sep 2020. |
|
[7] |
RedHunt-Labs,
"Ultimate-Guide-to-SSL-Pinning-Bypass-RedHunt-Labs," [Online].
Available: https://redhuntlabs.com/wp-content/uploads/2023/07/Ultimate-Guide-to-SSL-Pinning-Bypass-RedHunt-Labs.pdf. |
|
[8] |
R. Dasgupta, "Securing Mobile Applications With Cert
Pinning," [Online]. Available:
https://dzone.com/refcardz/securing-mobile-applications-with-cert-pinning. |
|
[9] |
Francisco José Ramírez-López , Angel Jesus Varela Vaca , Jorge Ropero,
"A Framework to Secure the Development and Auditing of SSL Pinning in
Mobile Applications: The Case of Android Devices," November 2019. |
|
[10] |
F.J. Ram´ırez-Lopez, A. J. Varela-Vaca, J. Ropero, A. Carrasco,
"Guidelines Towards Secure SSL Pinning in Mobile," 2019. |
|
[11] |
"How to pass SafetyNet on Android after rooting or installing a
custom ROM," p.
https://developer.android.com/training/safetynet/attestation, 31, MAR 2023. |
|
[12] |
"SafetyNOT: On the usage of the SafetyNet Attestation API in
Android," [Online]. Available:
https://dl.acm.org/doi/pdf/10.1145/3458864.3466627. |
|
[13] |
"Android Security: SSL Pinning," Matthew Dolan, 14, Jan 2017.
[Online]. Available: https://appmattus.medium.com/android-security-ssl-pinning-1db8acb6621e. |
|
[14] |
A. Bhardwaj, "SSL Pinning: Introduction & Bypass for
Android," 17 April 2019. [Online]. Available:
https://niiconsulting.com/checkmate/2019/04/ssl-pinning-introduction-bypass-for-android/. |
