Approov’s report exposes risks in 95% of top African banking apps, emphasizing high-severity secrets and vulnerabilities threatening data security and user privacy.
According to a new report from Approov, the end-to-end mobile security provider, easy-to-extract secrets are present in about 95% of the most widely used African banking and financial services apps. These secrets could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.
The Approov study looks into trends and differences in the frequency of unprotected secrets in binary packages of financial Android apps in Africa.
18% of the apps that were looked into for this report’s findings disclosed high-severity secrets. Vulnerabilities with the potential to result in unauthorised access, data breaches, and compromised user privacy were classified as high-severity.
Furthermore cross the continent, these applications have been downloaded 272 million times combined, and 72% of them have disclosed medium-severity secrets that contain sensitive information. They might jeopardise the privacy of user information and the functionality of the programme if they were made public.
Moreover with 33% of crypto applications discovered to leak these “high-severity” secrets, crypto ranked as the most vulnerable app category.
In contrast, the highest level of high-severity hidden exposure was found in apps that were implemented in West Africa. Southern Africa was the least impressive region, with only 6% of apps from there revealing such secrets, compared to 20% of apps built in West Africa.
“End-to-end security needs to be integrated into the app itself by developers”
Even with key management methods used by developers, a large number of critical keys still find their way into Android Application Packages (APKs). These keys include push notification keys, OAuth secrets, database credentials, and keys for encryption, authentication, and signature.
Finally in 86% of the apps that were analysed, Google Cloud API keys were found. Account breach may result immediately from such exposure. Facebook authentication tokens were among the numerous authentication tokens that were disclosed by about 15.3% of the apps.
“This research clearly shows that as financial services become more digitised and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated,” said Ted Miracco, CEO of Approov, in explaining the need for increased security on the developer side in Africa.
“Developers must make sure that end-to-end security is built into the app itself, as they can no longer rely on native client OS security or ‘official’ app stores.”
The necessity to prioritise security in the area was also brought up by Assane Gueye, an associate teaching professor at CMU-Africa, co-director of CyLab-Africa, and the Upanzi Network. Gueye stated that significant advancements in the security and resilience of financial technologies and infrastructure throughout the continent are imperative for enhancing financial inclusion in Africa.
“We can better identify the vulnerabilities that exist by conducting thorough surveys like this one, which will enlighten policymakers, developers, and security professionals.”
