Encryption, authentication, and signing keys are often exposed in mobile fintech apps used across Africa, according to researchers at Approov, who found passwords, application programming interface (API) keys, and private keys for cryptography when the most commonly used apps were reverse-engineered.
Risky Mobile Business
Approov examined the top 10 apps based on revenue and downloads. The fintech apps included those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services.
Trevor Henry Chiboora, research associate at CyLab-Africa, which conducted the study along with Approov, says some of the apps surveyed are used exclusively within Africa, and some are geolocked to regions within Africa. He also confirmed all the apps were downloaded from the Google Play Store.
The crypto apps were determined to be the worst when it comes to security, with 33.3% of them rated as high risk and 53.3% as medium risk.
The high-risk category is considered extremely dangerous if exposed, as they disclose private keys, keys for payment or transfer services, and “authentication” or “attestation” keys. Researchers said the exposure of these secrets could potentially lead to unauthorized access, data breaches, and compromised user privacy.
The medium-risk category secrets include sensitive data that, if exposed, could potentially compromise the confidentiality of user data and application functionality. Although not as critical as the high-severity secrets, the compromise of these secrets could still have significant repercussions.
Chiboora says there is neglect across the board when it comes to the levels of security in the apps, but crypto apps have a larger user base and geographical coverage than most other categories.
Research found 22.2% of personal finance apps were rated as high risk and 66.7% as medium risk. Payment and transfer apps were next worst, with 19.1% rated as high risk and 76.6% as medium risk. Of the total of 224 applications examined, only 5.4% revealed no details.
The Secret Key Is Exposed
To do the analysis, the researchers collected each app’s ID and, using an automated script to download the Android Application Packages, the apps were reverse-engineered and scanned for risky items.
Cryptographic API keys, private keys, and passwords are used to authenticate the application and authorize access to protected resources or services, as well as to ensure the integrity and security of data exchanges between the application and a server.
Typically an API serves a dual purpose: It identifies the app to the backend API, and it validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. This mechanism effectively prevents unauthorized or anonymous access attempts and provides a means to regulate the flow of data requests.
The researchers claimed that exposing API keys — especially those related to services like Google, AWS, and other cloud services — can result in unauthorized usage, which may incur unexpected costs or disrupt the functionality of integrated features.
“Keys are vital in the security and privacy of data as they authenticate and authorize access to services,” Chiboora says, adding that most of the time these details are hidden from application users. “There are mobile cybersecurity methods that allow app developers to move these keys out of the app and into the cloud, which is a better approach and a recommendation for better security.”
The researchers said this secret information is essential for verifying the identity of the application and protecting against unauthorized access, tampering, or data breaches. These secret keys are often present in the compiled source code of these applications and may also be inadvertently published to public repositories like GitHub.
Ted Miracco, CEO of Approov, said that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated. “Developers can no longer depend on ‘official’ app stores or on native client OS security and must ensure that end-to-end security is built into the app itself,” he said.