Page 10 - FIGI: Security audit of various DFS applications
P. 10

Security audit of Android DFS applications










            1  ABOUT THE APPS                                  1�3  App3
                                                               App3 is also provided a mobile operator and in sever-
            The three DFS applications analysed were selected   al countries across Africa and Asia. The app makes it
            as follows: Two DFS applications from providers in   possible for users to send money to contacts, pay for
            Africa and one DFS application from Europe.  The   goods and services, the app also transfers between
            results of security  audit  of these  applications  have   the mobile wallet and bank account. To register the
            been anonymised in the report and the three DFS    app requires a mobile number with the operator. The
            apps are referred to as App1, App2 and App3.       app users do not need to have a bank account.

            1�1  App1
            A European based mobile payment app, App1 links    2  TESTING METHOD
            the user’s credit card and bank account. It can be
            used to send, request and receive money.  The app   The goal of these tests is to give a standardised score
            can also be used to make online payments by scan-  of the security level of smart phone apps for Digi-
            ning  QR  codes  and  can be used to  make  cashless   tal Financial Services. This is achieved by installing
            payments at stores, restaurants, pay for parking tick-  the app on a test phone and analysing its security
            ets using QR codes or merchant beacons.  A user    features with a set of testing tools. The tests have
            requires a mobile number and a credit card or bank   been chosen such that they can be carried out with
            account details to register.                       open-source tools and with reasonable effort.
                                                               The tests are organised according to the OWASP
            1�2  App2                                          mobile top 10 list. The Open Web Application Secu-
            App2 is provided by a mobile network operator that   rity Project  (OWASP) is a non-profit foundation that
                                                                        1
            provides  digital  financial  services  in  areas  in  which   works  to  improve  the  security  of  software.  One  of
            they operate across Africa. The innovative mobile   their projects is the OWASP mobile top 10  which list
                                                                                                   2
            financial  service application  makes  it possible  for   the following risks as most important:
            users to send money locally and internationally, pay
            for goods and services, and transact from anywhere   a)  M1 Improper Platform Usage
            in the world, make transfers between the mobile    b)  M2 Insecure Data Storage
            wallet and user’s bank account. To register the app   c)  M3 Insecure Communication
            requires a mobile number with the operator. The app   d)  M4 Insecure Authentication
            users do not need to have a bank account.          e)  M5 Insufficient Cryptography



            8    Security audit of various DFS applications
   5   6   7   8   9   10   11   12   13   14   15