Analysis of Cybersecurity Vulnerabilities in Mobile Payment Applications

Abstract

Skepticism about security of mobile payment applications has plagued user adoption of such platforms in some countries. Software developers have generally de-emphasized core principles guiding delivering safe mobile applications since for mobile payment applications, movement of monetary value is their priority. We find in surveyed literature that this situation is prevalent in low economy/low financial inclusion countries. Selected were 50 Fintech and traditional banks m-payment applications in both high and lower economic and technological advancement (high E&T apps and lower E&T apps respectively) countries in Africa. This work may have significance in finance or economy, but it is mainly to unravel cybersecurity concerns. The analyses (static and dynamic) of the applications targeted top ten vulnerabilities on 2023 Common Weakness Enumeration (CWE) and Open Worldwide Application Security Project (OWASP) lists. The study employed Mobile Security Framework (MobSF) as the primary tool for both Android and iOS application while Automated Security Risk Assessment (AUSERA) tool was used to validate the vulnerabilities reported by MobSF.  Results show that traditional m-payment apps were generally more secure than Fintech m-payment apps. In the later category, vulnerabilities under information leakage and cryptography category were the most prevalent. On the average, no marked difference was observed in security performance between high E&T apps and lower E&T apps. Incorrect default permission, cleartext storage of sensitive information, use of risky cryptographic algorithm, use of insufficiently random values and information exposure were the most prevalent vulnerabilities. Conversely, insecure implementation of SSL and trusting all certificates or accepting self-signed certificates had fewest occurrences. Poor code quality was the highest source of security vulnerabilities in the study. Declining statistics of SMS leakage in recent studies was confirmed in this work. The most implemented security measure was certificate pinning for preventing or detecting man-in-the-middle attack.

Received: 7 February 2024 | Revised: 28 May 2024 | Accepted: 31 May 2024

Conflicts of Interest

The authors declare that they have no conflicts of interest to this work.

Data Availability Statement

Data available on request from the corresponding author upon reasonable request.