This is a Guest Blog written by the CyLab-Africa team : Theoneste Byagutangaza, Lena Chacha, Trevor Henry Chiboora, Joel Jefferson Musiime and George McGregor from Approov.
This week, we published a new report: “The Security Challenges of Financial Mobile Apps in Africa”. This is based on research carried out by a research team from CyLab-Africa, sponsored by Approov. The research reveals an alarming Fintech exposure in Africa – 95% of the apps investigated leak secrets! The full report is published on the Approov website here and is essential reading for any mobile app developers who are planning worldwide deployment.
The Use of Mobile Finance Applications Across Africa
The adoption of mobile applications for financial services is experiencing a remarkable surge in Africa, with double digit growth in mobile money transactions across the continent in recent years. A recent study by the GSMA and the Bill and Melinda Gates Foundation found that in 2022, out of a total of 1.6bn mobile money accounts registered worldwide, 791m of these were in Africa.
The widespread adoption of mobile banking and payment solutions has provided unparalleled convenience and accessibility to under served populations, promoting financial inclusion and reducing barriers to economic progress.
However as financial services become more digitized and accessible through mobile platforms, the potential risks associated with the exposure of confidential information have escalated. In fact, mobile application developers and security professionals have less and less control over the way apps are used and the client environments in which they are deployed. They can no longer depend on “official” app stores or on native client OS security and must ensure that end-to-end security is built into the app itself.
It is imperative to understand and address these security concerns to ensure the safeguarding of both user data and the integrity of financial systems.
CyLab-Africa
The CyLab-Africa initiative, a collaboration between Carnegie Mellon University’s CyLab Security and Privacy Institute and Carnegie Mellon University Africa, aims to improve the cybersecurity of digital systems in Africa and other emerging economies.
CMU-Africa was established in 2011 through a partnership between Carnegie Mellon and the Government of Rwanda. CMU-Africa is the only U.S. research university offering its master’s degrees with a full-time faculty, staff, and operations in Africa. The institution, part of Carnegie Mellon’s College of Engineering, is addressing the critical shortage of high-quality engineering talent required to accelerate the economic transformation of the African continent.
Approov and CyLab-Africa Collaboration
In the spring of 2023 Approov started discussions about possible collaborations with Carnegie Mellon University in the field of cybersecurity. It didn't take long to realize that the CyLab-Africa team and Approov had a shared interest in understanding and improving the state of mobile app security, and a partnership was born!
It's been a busy summer for us, using a variety of tools and techniques to do a deep dive on the security of a large number of financial apps across the continent. Although this particular research is focused on Africa, we do believe that it can contribute to the security of mobile applications worldwide, and our intent is that the report will provide valuable guidance for policymakers, developers, and security professionals, and aid in the formulation of targeted strategies to enhance the security posture of financial applications on a global scale.
The Research
Testing methodologies such as OWASP MASVS (which we have applied to mobile apps in other research) provide a framework which can be used to establish the security of mobile applications. In order to ensure security, a series of safety measures must be in place to verify the authenticity of users, ensure the utilization of an unaltered mobile application version, guarantee the integrity of the device in use, establish a secure communication channel directly connecting to the API server, and enforce exclusive access to the API solely through authorized means. These facets collectively represent the potential entry points exploited by malicious actors seeking to compromise the system's security of the android applications.
The focus of the report is on the use and protection of secrets by financial mobile apps. When mobile apps interact with third-party APIs, the process entails registering and obtaining a unique key (API key). This key serves a dual purpose: it identifies the app to the backend API and validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. The risk is that if these keys are stolen they can be abused.
We investigated the prevalence of unsecured secrets in binary packages of financial Android applications used in Africa, where secrets included passwords, Application Programming Interface (API) keys and private keys for cryptographic operations.
Drawing inspiration from a prior investigation conducted by Approov Mobile Security in the USA and Europe as well as previous research we have performed, our study seeks to draw comparisons between those regions and Africa, pinpointing trends, commonalities, and disparities pertaining to the exposure of secret keys in mobile application’s binary package.
224 financial android applications were sampled from across Africa and downloaded between the 27th of July and 4th of August 2023.
The chosen apps originated from a broad spectrum of subcategories, including but not limited to mobile banking, payment & money transfer, trading & investment, cryptocurrency, mobile money, personal finance, and government service apps.
Summary of the Findings
Numerous guides on security best practices discuss the extraction of sensitive information from code and suggest key management systems to prevent sensitive keys from ending up in version control systems. However, numerous keys were found in the reverse engineered Android Application Packages (APKs) which may imply that developers may use key management systems but ultimately the keys find their way into the binary package.
Unfortunately, the spectrum of secret keys found in the research extends across encryption keys for securing sensitive data, authentication keys for accessing services, and signing keys for verifying data authenticity. Additionally, database credentials, OAuth client secrets, push notification keys, code push keys, payment gateway secrets, encryption initialization vectors, license keys, and sensitive configuration settings were found.
The analysis revealed a concerning trend in the industry's approach to handling secret keys in application development. The results emphasize the urgent need to create awareness among developers and security test teams on secret management in version control and Android applications binary packages.
Register here to download a copy of the report.
