Page 10 - FIGI: Security audit of various DFS applications
P. 10
Security audit of Android DFS applications
1 ABOUT THE APPS 1�3 App3
App3 is also provided a mobile operator and in sever-
The three DFS applications analysed were selected al countries across Africa and Asia. The app makes it
as follows: Two DFS applications from providers in possible for users to send money to contacts, pay for
Africa and one DFS application from Europe. The goods and services, the app also transfers between
results of security audit of these applications have the mobile wallet and bank account. To register the
been anonymised in the report and the three DFS app requires a mobile number with the operator. The
apps are referred to as App1, App2 and App3. app users do not need to have a bank account.
1�1 App1
A European based mobile payment app, App1 links 2 TESTING METHOD
the user’s credit card and bank account. It can be
used to send, request and receive money. The app The goal of these tests is to give a standardised score
can also be used to make online payments by scan- of the security level of smart phone apps for Digi-
ning QR codes and can be used to make cashless tal Financial Services. This is achieved by installing
payments at stores, restaurants, pay for parking tick- the app on a test phone and analysing its security
ets using QR codes or merchant beacons. A user features with a set of testing tools. The tests have
requires a mobile number and a credit card or bank been chosen such that they can be carried out with
account details to register. open-source tools and with reasonable effort.
The tests are organised according to the OWASP
1�2 App2 mobile top 10 list. The Open Web Application Secu-
App2 is provided by a mobile network operator that rity Project (OWASP) is a non-profit foundation that
1
provides digital financial services in areas in which works to improve the security of software. One of
they operate across Africa. The innovative mobile their projects is the OWASP mobile top 10 which list
2
financial service application makes it possible for the following risks as most important:
users to send money locally and internationally, pay
for goods and services, and transact from anywhere a) M1 Improper Platform Usage
in the world, make transfers between the mobile b) M2 Insecure Data Storage
wallet and user’s bank account. To register the app c) M3 Insecure Communication
requires a mobile number with the operator. The app d) M4 Insecure Authentication
users do not need to have a bank account. e) M5 Insufficient Cryptography
8 Security audit of various DFS applications