Analysis of Cybersecurity Vulnerabilities in Mobile Payment Applications

Abstract

Skepticism about security of mobile payment applications has plagued user adoption of such platforms in some countries. Software developers have generally de-emphasized core principles guiding delivering safe mobile applications since for mobile payment applications, movement of monetary value is their priority. We find in surveyed literature that this situation is prevalent in low economy/low financial inclusion countries. Selected were 50 Fintech and traditional banks m-payment applications in both high and lower economic and technological advancement (high E&T apps and lower E&T apps respectively) countries in Africa. This work may have significance in finance or economy, but it is mainly to unravel cybersecurity concerns. The analyses (static and dynamic) of the applications targeted top ten vulnerabilities on 2023 Common Weakness Enumeration (CWE) and Open Worldwide Application Security Project (OWASP) lists. The study employed Mobile Security Framework (MobSF) as the primary tool for both Android and iOS application while Automated Security Risk Assessment (AUSERA) tool was used to validate the vulnerabilities reported by MobSF.  Results show that traditional m-payment apps were generally more secure than Fintech m-payment apps. In the later category, vulnerabilities under information leakage and cryptography category were the most prevalent. On the average, no marked difference was observed in security performance between high E&T apps and lower E&T apps. Incorrect default permission, cleartext storage of sensitive information, use of risky cryptographic algorithm, use of insufficiently random values and information exposure were the most prevalent vulnerabilities. Conversely, insecure implementation of SSL and trusting all certificates or accepting self-signed certificates had fewest occurrences. Poor code quality was the highest source of security vulnerabilities in the study. Declining statistics of SMS leakage in recent studies was confirmed in this work. The most implemented security measure was certificate pinning for preventing or detecting man-in-the-middle attack.

Received: 7 February 2024 | Revised: 28 May 2024 | Accepted: 31 May 2024

Conflicts of Interest

The authors declare that they have no conflicts of interest to this work.

Data Availability Statement

Data are available from the corresponding author upon reasonable request.

Author Contribution Statement

Esther Edem Archibong: Methodology, Software, Investigation, Resources, Visualization; Bliss Utibe-Abasi Stephen: Validation, Data curation, Writing - original draft, Supervision, Project administration; Philip Asuquo: Conceptualization, Formal analysis, Writing - review & editing.

This work is sponsored by 2019 Project of Humanities and Social Sciences of Henan Provincial Department of Education: “Research on Translation for Overseas Publicity from the Perspective of the Persuasion Theory in Western Rhetoric” (2019- ZZJH-643); 2019 Teaching Reform Project of School of Foreign Studies, North China University of Water Resources and Electric Power: “The Reforming Design and Practice of Mixed Teaching of Online and Offline Course for English Rhetoric”; and 2019 Teaching Reform Project of Henan Province: A Research on the “Golden Lesson” of College English from the Perspective of Telling Chinese Stories (2019SJGLX284).