TY - EJOU AU - Alsaedy, Mostafa Mohamed Ahmed Mohamed AU - Ghalwash, Haitham A. TI - SM-AAPIV: Split Merkle Tree-Based Real-Time Android Manifest Integrity Verification for Mobile Payment Security T2 - Journal of Cyber Security PY - 2026 VL - 8 IS - 1 SN - 2579-0064 AB - Mobile payment applications processed trillions of dollars globally in 2024, making them extremely profitable targets for attackers exploiting Android manifest vulnerabilities. Current security solutions demonstrate critical weaknesses; previous hardware-attestation frameworks, such as SafetyNet, demonstrated susceptibility to evasion by sophisticated dynamic instrumentation tools. While the Google Play Integrity API improves upon this baseline, it adds noticeable latency overhead, and traditional code signing cannot detect runtime permission manipulations. This research introduces SM-AAPIV (Split Merkle Android Apps Permissions Integrity Verifier), a novel cryptographic framework that partitions Merkle tree verification across hardware-isolated segments using the Android Keystore, achieving 99.89% detection accuracy with sub-150 ms latency. This split architecture fundamentally transforms attack economics by requiring the simultaneous compromise of two independent hardware-backed segments combined with server-controlled dynamic challenge-response protocols. This approach increases attack complexity by several orders of magnitude compared to monolithic approaches. Comprehensive evaluation across 1850 attack scenarios demonstrates superior performance with zero false positives, while a 72-h production deployment successfully blocked 407 real-world attacks. The system supports a three-tier fallback (StrongBox, TEE, Enhanced Software), ensuring 92% compatibility across the Android ecosystem. This work advances mobile payment security by providing practical cryptographic protection deployable in current Android infrastructure. KW - Split Merkle tree; Android Keystore; ECDH-P384; manifest integrity; mobile payments; cryptographic segmentation; challenge-response protocol; hardware-backed security; permission verification; runtime protection DO - 10.32604/jcs.2026.077021