Ninety-five percent of the most popular African banking and financial services apps contain easy-to-extract secrets that could pave the way for attacks and data theft, a new report has revealed.
This study, which was sponsored by end-to-end mobile security provider Approov, shows there is a high risk that confidential information could be used in scripts and bots to attack application programming interfaces (APIs) and steal data, devastating consumers and institutions.
The research was led by a team from the CyLab-Africa and Upanzi Open Digital Technologies Network initiatives in August 2023. It examined 224 financial Android applications from countries in North, Central, Eastern, Western and Southern Africa
“This research clearly shows that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated,” said Ted Miracco, CEO of Approov.
He added: “Developers can no longer depend on ‘official’ app stores or on native client OS security and must ensure that end-to-end security is built into the app itself.”
Notably, 18% of the apps investigated revealed high severity secrets. A high severity classification was used for vulnerabilities that could potentially lead to unauthorised access, data breaches, and compromised user privacy. These apps together constitute a total of 272 million downloads across the continent. In addition, 72% of the apps revealed medium severity secrets that includes sensitive data.
“In order to improve financial inclusion in Africa, big improvements need to be made to the security and resilience of financial technologies and infrastructure across the continent,” said Assane Gueye, associate teaching professor at CMU-Africa and co-director of CyLab-Africa and the Upanzi Network.
Among other findings, Crypto was the most exposed type of app, with 33% of crypto apps found to expose high severity secrets. Apps deployed in West Africa were the most exposed in terms of high severity secret exposure and Southern Africa the least: 20% of apps in West Africa exposed such secrets versus only 6% in Southern Africa.
In addition, Google Cloud API keys were identified in 86% of the examined applications, which can lead directly to accounts being compromised while over 15% of the apps exposed various authentication tokens, including Facebook authentication tokens
The full report can be downloaded here
