{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,11]],"date-time":"2025-09-11T18:21:01Z","timestamp":1757614861313,"version":"3.44.0"},"reference-count":38,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2025,7,31]],"date-time":"2025-07-31T00:00:00Z","timestamp":1753920000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,7,31]],"date-time":"2025-07-31T00:00:00Z","timestamp":1753920000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,8]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Third-party payment libraries (TPLs) are widely used in Android applications to facilitate in-app transactions, yet their security implications remain largely underexplored. In this paper, we present a novel approach for automated detection and security analysis of payment libraries in Android applications. Our tool, PayScan, employs byte-pattern analysis and heuristic scanning techniques to identify TPLs and then it assesses their security posture. Additionally, the tool integrates three independent security scanners. We analyzed a dataset of 10,553 Android applications, detecting 18 payment libraries and evaluating their security and privacy risks. Our findings indicate that 71.7% of applications use outdated payment libraries, with some SDK versions being over four years old. Additionally, we identified 397 private key leaks across 212 applications. The security scanners detected over 20,000 vulnerabilities, including critical issues such as SSL misconfigurations, WebView XSS, and weak cryptographic implementations. We compare our detection approach against LibScout and LibRadar, demonstrating its practical performance in detecting payment libraries, including in obfuscated applications. This study reveals important security risks in mobile payment ecosystems and emphasizes the value of continued monitoring of third-party payment libraries. The proposed tool offers a scalable solution for detection and analysis, providing practical utility for researchers, developers, and auditors focused on financial application security.<\/jats:p>","DOI":"10.1007\/s10207-025-01105-0","type":"journal-article","created":{"date-parts":[[2025,7,31]],"date-time":"2025-07-31T03:52:45Z","timestamp":1753933965000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["PayScan: Detection and Security Analysis of Payment Libraries in Android Apps"],"prefix":"10.1007","volume":"24","author":[{"given":"Fadi","family":"Mohsen","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Manar","family":"Alohaly","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Usman","family":"Rauf","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dominic","family":"Therattil","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Loran","family":"Oosterhaven","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,7,31]]},"reference":[{"key":"1105_CR1","doi-asserted-by":"publisher","first-page":"187326","DOI":"10.1109\/ACCESS.2020.3028428","volume":"8","author":"AMH Al-Hakimi","year":"2020","unstructured":"Al-Hakimi, A.M.H., BakarMdSultan, A., AbdulGhani, A.A., Ali, N.M., Admodisastro, N.I.: Hybrid obfuscation technique to protect source code from prohibited software reverse engineering. IEEE Access 8, 187326\u2013187342 (2020)","journal-title":"IEEE Access"},{"key":"1105_CR2","unstructured":"APKMirror. APKMirror: Free and Safe Android APK Downloads, 2023. Accessed: July, 2023]"},{"key":"1105_CR3","doi-asserted-by":"crossref","unstructured":"Backes, M., Bugiel, V., Derr, E.: Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201916, page 356\u2013367, New York, NY, USA, (2016). Association for Computing Machinery","DOI":"10.1145\/2976749.2978333"},{"key":"1105_CR4","doi-asserted-by":"crossref","unstructured":"Backes, M., Bugiel, V., Derr, E.: Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201916, page 356\u2013367, New York, NY, USA, (2016). Association for Computing Machinery","DOI":"10.1145\/2976749.2978333"},{"key":"1105_CR5","doi-asserted-by":"crossref","unstructured":"Bl\u00e4sing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In 2010 5th International Conference on Malicious and Unwanted Software 55\u201362 (2010)","DOI":"10.1109\/MALWARE.2010.5665792"},{"key":"1105_CR6","doi-asserted-by":"publisher","first-page":"6361","DOI":"10.1109\/ACCESS.2017.2693388","volume":"5","author":"T Cho","year":"2017","unstructured":"Cho, T., Kim, H., Yi, J.H.: Security assessment of code obfuscation based on dynamic monitoring in android things. IEEE Access 5, 6361\u20136371 (2017)","journal-title":"IEEE Access"},{"key":"1105_CR7","doi-asserted-by":"crossref","unstructured":"Darvish, H., Husain, M.: Security analysis of mobile money applications on android. In 2018 IEEE International Conference on Big Data (Big Data), pages 3072\u20133078, (2018)","DOI":"10.1109\/BigData.2018.8622115"},{"key":"1105_CR8","unstructured":"Degenhard, J.: Smartphone users in the world 2013-2028"},{"key":"1105_CR9","doi-asserted-by":"crossref","unstructured":"Demetriou, S., Merrill, W., Yang, W., Zhang, A., Gunter, C.A.: Free for all! assessing user data exposure to advertising libraries on android. In Proceedings 2016 Network and Distributed System Security Symposium, San Diego, CA, (2016). Internet Society","DOI":"10.14722\/ndss.2016.23082"},{"key":"1105_CR10","doi-asserted-by":"crossref","unstructured":"Derr, E., Bugiel, S., Fahl, S., Acar, Y., Backes., M.: Keep me updated: An empirical study of third-party library updatability on android. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201917, page 2187\u20132200, New York, NY, USA, (2017). Association for Computing Machinery","DOI":"10.1145\/3133956.3134059"},{"key":"1105_CR11","doi-asserted-by":"crossref","unstructured":"Flynn, L., Klieber, W.: Smartphone security. IEEE Pervasive Computing, 14(4), (2015)","DOI":"10.1109\/MPRV.2015.67"},{"key":"1105_CR12","doi-asserted-by":"crossref","unstructured":"Geethanjali, D., Ying, TL., Melissa, CWJ., Balachandran, V.: Aeon: Android encryption based obfuscation. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY \u201918, page 146\u2013148, New York, NY, USA, (2018). Association for Computing Machinery","DOI":"10.1145\/3176258.3176943"},{"key":"1105_CR13","doi-asserted-by":"crossref","unstructured":"Grace, MC., Zhou, W., Jiang, X., Sadeghi, AR.: Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC \u201912, page 101\u2013112, New York, NY, USA, (2012). Association for Computing Machinery","DOI":"10.1145\/2185448.2185464"},{"key":"1105_CR14","doi-asserted-by":"crossref","unstructured":"Guo, Y., Gou, Y., Chen, W., Zhang, M., Sun, D.: Defect detection of third party payment processes in android applications. In 2019 IEEE International Conference on Computation, Communication and Engineering (ICCCE), pages 67\u201370, (2019)","DOI":"10.1109\/ICCCE48422.2019.9010782"},{"key":"1105_CR15","unstructured":"Khandelwal, A., Mohapatra, AK.: An insight into the security issues and their solutions for android phones. In 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), pages 106\u2013109, (2015)"},{"issue":"9","key":"1105_CR16","doi-asserted-by":"publisher","first-page":"981","DOI":"10.1109\/TSE.2018.2872958","volume":"46","author":"M Li","year":"2020","unstructured":"Li, M., Wang, P., Wang, W., Wang, S., Dinghao, W., Liu, J., Xue, R., Huo, W., Zou, W.: Large-scale third-party library detection in android markets. IEEE Trans. Software Eng. 46(9), 981\u20131003 (2020)","journal-title":"IEEE Trans. Software Eng."},{"key":"1105_CR17","unstructured":"Li, M., Wang, W., Wang, P., Wang, S., Wu, D., Liu, J., Xue, R., Huo, W.: Libd: Scalable and precise third-party library detection in android markets. In Proceedings - 2017 IEEE\/ACM 39th International Conference on Software Engineering, ICSE 2017, Proceedings - 2017 IEEE\/ACM 39th International Conference on Software Engineering, ICSE 2017, pages 335\u2013346, United States, July (2017). Institute of Electrical and Electronics Engineers Inc. Funding Information: ACKNOWLEDGMENTS We thank anonymous reviewers for their invaluable comments and suggestions. This research was supported in part by the National Science Foundation of China (No. 61572481, 61402471, 61472414 and 61602470), the Program of Beijing Municipal Science and Technology Commission (No. Y6C0021116), the US National Science Foundation (Grant No. CCF-1320605), and Office of Naval Research (Grant No. N00014-13-1-0175, N00014-16-1-2265, and N00014-16-1-2912). Publisher Copyright: 2017 IEEE.; 39th IEEE\/ACM International Conference on Software Engineering, ICSE 2017 ; Conference date: 20-05-2017 Through 28-05-2017"},{"key":"1105_CR18","doi-asserted-by":"crossref","unstructured":"Liu, B., Liu, B., Jin, H., Govindan, R.: Efficient privilege de-escalation for ad libraries in mobile apps. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys \u201915, page 89\u2013103, New York, NY, USA, (2015). Association for Computing Machinery","DOI":"10.1145\/2742647.2742668"},{"key":"1105_CR19","unstructured":"Ben Lutkevich. What is obfuscation?, 4 2021"},{"key":"1105_CR20","doi-asserted-by":"crossref","unstructured":"Ma, Z., Wang, H., Guo, Y., Chen, X.: Libradar: Fast and accurate detection of third-party libraries in android apps. 2016 IEEE\/ACM 38th International Conference on Software Engineering Companion (ICSE-C), pages 653\u2013656, (2016)","DOI":"10.1145\/2889160.2889178"},{"key":"1105_CR21","doi-asserted-by":"crossref","unstructured":"Ma, Z., Wang, H., Guo, Y., Chen, X.: Libradar: Fast and accurate detection of third-party libraries in android apps. In 2016 IEEE\/ACM 38th International Conference on Software Engineering Companion (ICSE-C), pages 653\u2013656, (2016)","DOI":"10.1145\/2889160.2889178"},{"key":"1105_CR22","unstructured":"Moonsamy, V., Batten, L.: Android applications: Data leaks via advertising libraries. In 2014 International Symposium on Information Theory and its Applications, pages 314\u2013317, (2014)"},{"key":"1105_CR23","doi-asserted-by":"crossref","unstructured":"Mos, A., Chowdhury, MM.: Mobile Security: A Look into Android, pages 638\u2013642. 2020 IEEE International Conference on Electro Information Technology (EIT). IEEE, (2020)","DOI":"10.1109\/EIT48999.2020.9208339"},{"key":"1105_CR24","doi-asserted-by":"crossref","unstructured":"Narayanan, A., Chen, L., Chan, CK.: Addetect: Automated detection of android ad libraries using semantic analysis. In 2014 IEEE Ninth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP), pages 1\u20136, (2014)","DOI":"10.1109\/ISSNIP.2014.6827639"},{"key":"1105_CR25","doi-asserted-by":"crossref","unstructured":"Short, A., Li, F.: Android smartphone third party advertising library data leak analysis. In 2014 IEEE 11th International Conference on Mobile Ad Hoc and Sensor Systems, pages 749\u2013754, (2014)","DOI":"10.1109\/MASS.2014.131"},{"key":"1105_CR26","unstructured":"Statista. Mobile wallet transactions worldwide, 2025. Accessed: February 10, 2025"},{"issue":"5","key":"1105_CR27","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1109\/MSP.2017.3681060","volume":"15","author":"P Traynor","year":"2017","unstructured":"Traynor, P., Butler, K., Bowers, J., Reaves, B.: Fintechsec: Addressing the security challenges of digital financial services. IEEE Secur. Priv. 15(5), 85\u201389 (2017)","journal-title":"IEEE Secur. Priv."},{"key":"1105_CR28","doi-asserted-by":"crossref","unstructured":"Ulqinaku, E., Stefa, J., Mei, A.: Scan-and-pay on android is dangerous. In IEEE INFOCOM 2019 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pages 1\u20136, (2019)","DOI":"10.1109\/INFOCOMWKSHPS47286.2019.9093783"},{"key":"1105_CR29","doi-asserted-by":"crossref","unstructured":"Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in google play. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC \u201918, page 222\u2013235, New York, NY, USA, (2018). Association for Computing Machinery","DOI":"10.1145\/3274694.3274726"},{"key":"1105_CR30","unstructured":"42matters: Mobile sdk explorer. https:\/\/42matters.com\/sdks. (visited on 08\/29\/2022)"},{"key":"1105_CR31","unstructured":"Apkmirror: Download apks. https:\/\/www.apkmirror.com\/. (visited on 08\/29\/2022)"},{"key":"1105_CR32","unstructured":"Appbrain: Android billing libraries. https:\/\/www.appbrain.com\/stats\/libraries\/tag\/billing\/android-billing-libraries. (visited on 02\/17\/2022)"},{"key":"1105_CR33","unstructured":"Flowdroid: Static data flow tracker. https:\/\/github.com\/secure-software-engineering\/FlowDroid. (visited on 08\/29\/2022)"},{"key":"1105_CR34","unstructured":"Androwarn: Platform for android application analysis. https:\/\/github.com\/androguard\/androguard. (visited on 08\/29\/2022)"},{"key":"1105_CR35","unstructured":"Superanalyzer: Secure, unified, powerful and extensible rust android analyzer. https:\/\/superanalyzer.rocks\/. (visited on 08\/29\/2022)"},{"key":"1105_CR36","doi-asserted-by":"crossref","unstructured":"Zhan, X., Fan, L., Liu, T., Chen, S., Li, L., Wang, H., Xu, Y., Luo, X., Liu, Y.: Automated third-party library detection for android applications: are we there yet? In Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering, ASE \u201920, page 919\u2013930, New York, NY, USA, (2021). Association for Computing Machinery","DOI":"10.1145\/3324884.3416582"},{"key":"1105_CR37","unstructured":"Zhan, X., Liu, T., Fan, L., li\u00a0li, Chen, S., Luo, X., Liu, Y.: Research on third-party libraries in android apps: A taxonomy and comprehensive survey. IEEE Transactions on Software Engineering, pages 1\u201332, September (2021)"},{"key":"1105_CR38","doi-asserted-by":"crossref","unstructured":"Zhang, Z., Diao, W., Hu, C., Guo, S., Zuo, C., Li\u00a0Li.: An empirical study of potentially malicious third-party libraries in android apps. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec \u201920, page 144\u2013154, New York, NY, USA, (2020). Association for Computing Machinery","DOI":"10.1145\/3395351.3399346"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01105-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01105-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01105-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,5]],"date-time":"2025-09-05T11:33:45Z","timestamp":1757072025000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01105-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,31]]},"references-count":38,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,8]]}},"alternative-id":["1105"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01105-0","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2025,7,31]]},"assertion":[{"value":"20 July 2025","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"31 July 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"189"}}