Attack Description: MistPlay is a leading play-game-to-earn platform (ranked #3 in the AppsFlyer growth index for Japan and Korea) that serves 200+ mobile games and over 1M users. Gaming apps may use its mobile library, LoyaltyPlay, to integrate the play-game-to-earn feature into the apps so as to increase user retention. We found that LoyaltyPlay leverages Amazon Kinesis Data Firehose and S3 to collect and process the gamers’ streaming data, such as user id, in-game search query, and click events, etc. For this purpose, the LoyaltyPlay library hard-coded the AWS credentials, including the Cognito Identity Pool ID, in a resource file /res/raw/loyaltyplay_awsconfiguration.json. An attacker may use a malicious library to plug in his own credentials by overriding the resource file (Risk #1). This would automatically ``redirect’’ the library to an AWS account owned by the attacker, leading to the complete takeover of the cloud backend.

Attack Description: Razorpay [ 57 ] is a leading online payment solution in In- dia, which has helped over 5M businesses (including Face- book, Disney, and PizzaHut) to process customer payments. We found that the Razorpay SDK uses a resource file (res/raw/rzp_config.json) to store SDK configurations in particular its CDN URL (https://cdn.razorpay.com) The SDK uses the hard-coded CDN URL to download JavaScript (JS) file otpelf.js, and then loads the JS cod into a WebView for processing the online banking one-time password (OTP). An attacker can conduct the Duress attack by providing a duplicate rzp_config.json file with a fake CDN URL within his malicious library.

To secure network connections of apps, Google introduced the network security config feature in Android 7.0. With this feature, developers can specify network security policies in a declarative XML configuration file, e.g., /res/xml/network_security_config.xml, without actual coding. A malicious library can compromise the other libraries' policies by overriding the configuration file using Duress attacks.

HitPay is an online payment gateway for small and medium-sized businesses in Singapore. The mobile library of HitPay, i.e., com.hit-pay.terminalsdk, relies on a network security configuration for protecting the network accesses from the library. As shown in Figure 6, an important measure is to enable certificate pinning for its backend server api.hit-pay.com for the purpose of thwarting man-in-the-middle (MITM) attacks. Our study shows that a malicious library is capable of arbitrarily modifying the configurations so as to disable the certificate pinning and open a door for MITM attacks, e.g., by removing the pin set, adding a pin that contains the digest of an attacker’s public key, or marking the pin set as expired, etc.