Around 95 per cent of the most popular African banking and financial services apps contain easy-to-extract secrets, which could be used in scripts and bots to attack application programming interfaces (APIs) and steal data, devastating consumers and the institutions they trust; according to a new report from Approov, the end-to-end mobile security provider.
The Approov study investigates the prevalence of unsecured secrets in binary packages of financial Android apps in Africa, highlighting trends and disparities.
In total, 18 per cent of the apps that it investigated in its report revealed high-severity secrets. A high-severity classification was used for vulnerabilities that could potentially lead to unauthorised access, data breaches, and compromised user privacy.
These apps together constitute a total of 272 million downloads across the continent with 72 per cent of the apps revealing medium severity secrets that encompass sensitive data. If exposed, they could potentially compromise the confidentiality of user data and application functionality.
Crypto emerged as the most exposed type of app, with 33 per cent of crypto apps found to expose these ‘high-severity’ secrets.
Meanwhile, apps deployed in West Africa were the most exposed in terms of high-severity secret exposure. The region boasting the least was Southern Africa: 20 per cent of apps developed in West Africa exposed such secrets versus only six per cent in those from Southern Africa.
“Developers must ensure that end-to-end security is built into the app itself”
While developers may employ key management systems, many sensitive keys still end up in Android Application Packages (APKs). These keys include encryption, authentication, and signing keys, as well as database credentials, OAuth secrets, and push notification keys.
Google Cloud API keys were identified in 86 per cent of the examined applications. Such exposure can lead directly to accounts being compromised. Approximately 15.3 per cent of the apps also exposed various authentication tokens, including Facebook authentication tokens.
Ted Miracco, CEO of Approov, explained the need for enhanced security on the developer side in Africa: “This research clearly shows that as financial services become more digitised and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated.
“Developers can no longer depend on ‘official’ app stores or on native client OS security and must ensure that end-to-end security is built into the app itself.”
Assane Gueye, an associate teaching professor at CMU-Africa and co-director of CyLab-Africa and the Upanzi Network, also discussed the need to prioritise security in the region: “In order to improve financial inclusion in Africa, big improvements need to be made to the security and resilience of financial technologies and infrastructure across the continent.
“A comprehensive survey like this one can help us to better understand the vulnerabilities that exist in order to inform policymakers, developers, and security professionals.”