Security Challenges of Financial Mobile Apps in Africa

The report focuses on secrets used and protected by financial mobile apps, particularly API keys. These keys serve to identify and validate apps when interacting with third-party APIs. Our study investigates the prevalence of unsecured secrets in binary packages of financial Android apps in Africa, highlighting trends and disparities.

The finding revealed-- despite security guides emphasizing the protection of sensitive keys, our analysis uncovered a concerning trend. While developers may employ key management systems, many sensitive keys still end up in Android Application Packages (APKs). These keys include encryption, authentication, signing keys, as well as database credentials, OAuth secrets, push notification keys, and more.

This highlights a critical issue in the industry's approach to handling secret keys during app development. There's an urgent need to raise awareness among developers and security teams about effective secret management within version control and Android app binary packages.

About CyLab-Africa 

The CyLab-Africa initiative is a collaboration between Carnegie Mellon University’s CyLab Security and Privacy Institute and Carnegie Mellon University Africa. The initiative aims to improve the cybersecurity of digital systems in Africa and other emerging economies. CMU-Africa, located in Kigali, Rwanda, is the only U.S. research university offering its master’s degrees with a full-time faculty, staff, and operations in Africa. The institution, part of Carnegie Mellon’s College of Engineering, is addressing the critical shortage of high-quality engineering talent required to accelerate the economic transformation of the African continent. Find out more here. 

© 2023 Approov Limited