An Empirical Study on Mobile Payment Credential Leaks and Their Exploits

Recently, mobile apps increasingly integrate with payment services, enabling the user to pay orders with a third-party payment service provider, namely Cashier. During the payment process, both the app and Cashier rely on some credentials to secure the service. Despite the importance, many developers tend to overlook the protection of payment credentials and inadvertently expose them to the wild. Such leaks severely affect the security of end-users and the merchants associated with the apps, resulting in privacy violations and actual financial loss. In this paper, we study the payment credential leaks for four top-tiered Cashiers that serve over one billion users and tens of millions of merchants globally. Through studying practical mobile payment systems, we identify new leaking sources of payment credentials and find 4 types of exploits with severe consequences, which are caused by the credential leaks and additional implementation flaws. Besides, we design an automatic tool, PayKeyMiner, and use it to discover around 20,000 leaked payment credentials, affecting thousands of apps. We have reported our findings to the Cashiers. All of them have confirmed the issue and pledged to notify the affected merchant apps, while some of these apps have updated the leaked payment credentials afterward.