Threat Model: Mobile SDK & Application
| Owner |
Classification |
Review Date |
Status |
| Security |
Confidential |
April 2027 |
Draft |
Scope
This threat model covers the Simpaisa Mobile SDK (iOS and Android) and the Simpaisa mobile application surface. It includes: SDK distribution and integrity, runtime API communication, local data storage, certificate pinning, deep linking, push notification handling, and the mobile-to-gateway trust relationship. It does not cover the API Gateway layer — see Threat Model: API Gateway & Platform.
Architecture Overview
| Component |
Platform |
Trust Zone |
Exposure |
| Simpaisa Mobile SDK |
iOS / Android |
Untrusted (device) |
Distributed via App Store / Play Store / direct embed |
| Merchant app (SDK host) |
iOS / Android |
Untrusted (device) |
Merchant-controlled; embeds Simpaisa SDK |
| Local secure storage |
iOS Keychain / Android Keystore |
Untrusted (device) |
Device-local; OS-protected |
| API Gateway |
KrakenD (cloud) |
Trusted (cloud) |
HTTPS only; certificate pinned in SDK |
| Push notification service |
APNs / FCM |
Semi-trusted (third party) |
Apple / Google infrastructure |
| Deep link handler |
iOS Universal Links / Android App Links |
Untrusted (device) |
URL-based; registered domains only |
Trust Boundaries
| Boundary |
Description |
Controls |
| SDK distribution → Device |
SDK package delivered via package manager or direct download |
Code signing; checksums; App Store / Play Store integrity checks |
| Device → API Gateway |
SDK makes HTTPS API calls to Simpaisa cloud |
Certificate pinning; TLS 1.3; JWT authentication |
| Device → Local storage |
SDK reads/writes tokens and session data |
iOS Keychain / Android Keystore; no plaintext storage |
| APNs/FCM → Device |
Push notifications delivered via Apple/Google |
Payload encryption; notification content minimisation |
| Deep link → App |
External URL triggers in-app navigation |
Registered domain verification; parameter validation |
STRIDE Threat Register
Spoofing
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-S-01 |
Certificate pinning bypass |
API communication |
Attacker installs proxy certificate (e.g. Burp Suite) on rooted/jailbroken device to intercept HTTPS traffic |
API credential theft; transaction data interception |
Medium |
🟠 High |
Certificate pinning (ADR-MOBILE-118); jailbreak/root detection; pin rotation mechanism for emergency re-pin |
Medium — pinning bypassable on rooted devices |
| MOB-S-02 |
Fake Simpaisa SDK distribution |
SDK supply chain |
Attacker publishes a malicious package with a similar name to the Simpaisa SDK on npm/CocoaPods/Maven |
Merchant app compromise; credential harvesting at scale |
Low |
🔴 Critical |
Published package signing; official registry namespacing; integrity checksums published in docs; version pinning guidance to merchants |
Medium |
| MOB-S-03 |
Deep link hijacking |
In-app navigation |
Malicious app registers the same URL scheme and intercepts Simpaisa deep links (e.g. payment callbacks) |
Payment flow hijack; user redirected to attacker UI |
Medium |
🟠 High |
iOS Universal Links / Android App Links (ADR-MOBILE-122) — domain-verified, not URL-scheme based; fallback parameter validation |
Low |
Tampering
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-T-01 |
SDK binary tampering / repackaging |
SDK binary |
Attacker decompiles, modifies (e.g. removes security checks), and redistributes the SDK |
Security bypass; merchant app compromise |
Low |
🟠 High |
Code obfuscation; runtime integrity check (hash of own binary); code signing validation; Play Integrity API / DeviceCheck |
Medium |
| MOB-T-02 |
Local storage tampering |
Cached tokens / session |
On a rooted device, attacker reads or modifies tokens stored in app sandbox |
Session hijack; replayed authentication |
Medium |
🟠 High |
iOS Keychain / Android Keystore for all sensitive data (STD-MOBILE-123); short-lived tokens; server-side session validation |
Medium — Keystore/Keychain not foolproof on rooted devices |
| MOB-T-03 |
Push notification payload tampering |
Push notifications |
Network attacker modifies push notification payload in transit to trigger fraudulent in-app action |
User tricked into confirming fraudulent transaction |
Low |
🟡 Medium |
Push notifications carry only event IDs, not action data; app fetches authoritative data from API on notification receipt (ADR-MOBILE-120); TLS on APNs/FCM |
Low |
Repudiation
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-R-01 |
User denies in-app payment authorisation |
Transaction consent |
User claims they did not authorise a payment initiated via the mobile app |
Chargeback; fraud claim; reputational damage |
Medium |
🟠 High |
Device biometric or PIN confirmation required for payment; server-side consent record with device fingerprint and timestamp; audit trail (ADR-SECURITY-048) |
Low |
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-I-01 |
Reverse engineering to extract API keys or secrets |
SDK binary |
Attacker decompiles SDK to extract hardcoded API endpoints, keys, or cryptographic constants |
API key compromise; attack surface mapping |
High |
🔴 Critical |
No hardcoded secrets in SDK; all keys fetched at runtime post-authentication; code obfuscation; certificate pinning to prevent proxy inspection |
Medium |
| MOB-I-02 |
Screen capture / accessibility service data leakage |
UI layer |
Malicious app with accessibility permissions captures screen content during payment flow |
Card or account data exposure |
Medium |
🟠 High |
FLAG_SECURE on payment screens (Android); prevent screenshots on sensitive views (iOS); sensitive field masking |
Low |
| MOB-I-03 |
Clipboard data leakage |
Payment data input |
User copies card or account number; malicious app reads clipboard |
Card data or account number exposure |
High |
🟠 High |
Clear clipboard after SDK input fields; restrict paste in secure input fields; Android 13+ clipboard access notifications |
Low |
| MOB-I-04 |
Debug log data leakage in production builds |
Application logs |
Debug logging inadvertently left enabled in production; logs contain PII or tokens |
PII breach; token exposure via device logs |
Medium |
🟠 High |
ProGuard/R8 strips log calls in release builds; CI gate checks for debug log statements; STD-MOBILE-123 prohibits PII in logs |
Low |
Denial of Service
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-D-01 |
SDK crash injection via malformed push payload |
Push notification handler |
Attacker crafts a malformed APNs/FCM payload that triggers an unhandled exception and crashes the host app |
Merchant app crashes on all user devices simultaneously |
Low |
🟠 High |
Strict push payload schema validation; crash-safe notification handler; payload size and type enforcement |
Low |
| MOB-D-02 |
Forced SDK update loop |
SDK version enforcement |
If minimum-version enforcement is too aggressive, a misconfigured rollout blocks all users from transacting |
Merchant checkout unavailable |
Low |
🟡 Medium |
Graceful degradation on version mismatch; staged rollout with canary; rollback capability |
Low |
Elevation of Privilege
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| MOB-E-01 |
SDK permission escalation in host app |
Host app permissions |
SDK requests excessive permissions (camera, contacts, location) that the host app must grant, exposing attack surface beyond payment use case |
User privacy violation; App Store / Play Store rejection |
Low |
🟡 Medium |
SDK declared permissions limited to payment use case only; documented permission manifest; App Store / Play Store review process |
Low |
| MOB-E-02 |
Jailbreak / root exploit to access SDK internals |
Runtime environment |
Attacker runs SDK on jailbroken/rooted device to bypass security controls and access Keychain/Keystore data |
Token theft; bypass of biometric enforcement |
Medium |
🟠 High |
Jailbreak/root detection (STD-MOBILE-123); degrade to stepped-up authentication on detected compromise; server-side anomaly detection on device fingerprint |
Medium — detection is bypassable by sophisticated attackers |
Risk Summary
| Risk Level |
Count |
Threats |
| 🔴 Critical |
2 |
MOB-S-02, MOB-I-01 |
| 🟠 High |
9 |
MOB-S-01, MOB-S-03, MOB-T-01, MOB-T-02, MOB-R-01, MOB-I-02, MOB-I-03, MOB-I-04, MOB-D-01, MOB-E-02 |
| 🟡 Medium |
3 |
MOB-T-03, MOB-D-02, MOB-E-01 |