Most African banking and Fintech apps vulnerable to bot exploitation, study shows
By Puja Sharma
Approov-sponsored survey of 224 Android apps finds exposed secrets that can be used to reveal personal and financial data
Approov, the end-to-end mobile security provider, released a report showing that 95% of the most popular African banking and financial services apps contain easy-to-extract secrets, which could be used in scripts and bots to attack application programming interfaces (APIs) and steal data, devastating consumers and the institutions they trust.
This report describes research by a team from the CyLab-Africa and Upanzi Open Digital Technologies Network initiatives in August 2023, sponsored by Approov: 224 financial Android applications were selected from countries in North, Central, Eastern, Western and Southern Africa and were downloaded and investigated.
CyLab-Africa, located in Kigali, Rwanda, is a collaboration between Carnegie Mellon University’s CyLab Security and Privacy Institute and Carnegie Mellon University Africa. Upanzi is an Africa-based network of research labs that focuses on creating, testing, innovating and assisting in implementing digital technologies at scale, such as identity, payments, cybersecurity, cloud computing, data governance, artificial intelligence and machine learning, and influencing technology policy recommendations to support the digital transformation of low- and middle-income countries (LMICs).
The study draws comparisons between other regions and Africa, pinpointing trends, commonalities, and disparities pertaining to the exposure of secret keys in a mobile application’s binary package.
“This research clearly shows that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated,” said Ted Miracco, CEO of Approov. “Developers can no longer depend on ‘official’ app stores or on native client OS security and must ensure that end-to-end security is built into the app itself.”
Notably, 18% of the apps investigated revealed high severity secrets. A high severity classification was used for vulnerabilities that could potentially lead to unauthorized access, data breaches, and compromised user privacy. These apps together constitute a total of 272 million downloads across the continent with 72% of the apps revealing medium severity secrets that encompass sensitive data. If exposed, they could potentially compromise the confidentiality of user data and application functionality.
“In order to improve financial inclusion in Africa, big improvements need to be made to the security and resilience of financial technologies and infrastructure across the continent,” noted Assane Gueye, associate teaching professor at CMU-Africa and co-director of CyLab-Africa and the Upanzi Network. “A comprehensive survey like this one can help us to better understand the vulnerabilities that exist in order to inform policymakers, developers, and security professionals.”
Key findings:
- Over 95% of fintech apps across Africa immediately expose valuable, exploitable secrets.
- Approximately 272 million users have downloaded apps that inadvertently reveal sensitive, high-risk secret keys.
- Crypto was the most exposed type of app, with 33% of crypto apps found to expose high severity secrets.
- Apps deployed in West Africa were the most exposed in terms of high severity secret exposure and Southern Africa the least: 20% of apps in West Africa exposed such secrets versus only 6% in Southern Africa.
- Google Cloud API keys were identified in 86% of the examined applications. Such exposure can lead directly to accounts being compromised.
- Approximately 15.3% of the apps exposed various authentication tokens, including Facebook authentication tokens.
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage
Other Related News
December 10, 2024