Page 8 - FIGI: Security audit of various DFS applications
P. 8
Executive Summary
The main objective of this report is to present the find- egories of the OWASP Mobile top 10 security risks . Three
1
ings of the security audit of a few mobile digital financial mobile DFS applications were tested: Two DFS applica-
services (DFS) applications operating on Android mobile tions from providers in Africa and one DFS application
operating system and elaborate a systematic methodolo- from Europe. The results of security audit of these appli-
gy for carrying out the security audit. cations have been anonymised in the report and the three
DFS apps are referred to as App1, App2 and App3.
The security audit methodology is based on 18 tests and
are categorised according to seven of the well-known cat- An overview of the results is shown in the table below:
OWASP mobile top 10 Test
App1 App2 App3
M1: Improper Platform Usage T1.1 Android:allowBackup
T1.2 Android:debuggable
T1.3 Android:installLocation
T1.4 Dangerous permissions
M2: Insecure Data Storage T2.1 Android.permission.
WRITE_EXTERNAL_STORAGE
T2.2 Disabling screenshots
M3: Insecure Communication T3.1 Application should only use HTTPS connections
T3.2 Application should detect Machine-in-the-Middle attacks with
untrusted certificates
T3.3 Application should detect Machine-in-the-Middle attacks with trusted
certificates
T3.4 App manifest should not allow cleartext traffic
M4: Insecure Authentication T4.1 Authentication required before accessing sensitive information
T4.2 The application should have an inactivity timeout
T4.3 If a fingerprint is added, existing authentication with fingerprints should
be disabled
T4.4 Sensitive requests cannot be replayed
M5: Insufficient Cryptography T5.1 The app should not use unsafe crypto primitives
T5.2 The HTTPS connections should be configured according to best
practices
T5.3 The app should encrypt sensitive data that is sent over HTTPS
M8: Code Tampering T8.1 The application should refuse to run on a rooted device
M9: Reverse Engineering T9.1 The code of the app should be obfuscated
The 18 security tests defined in the methodology for has been set up by the ITU as part of the activities of
the security audit in the report has also been mapped the Security, Infrastructure and Trust (SIT) Working
against the security best practices of the DFS Securi- Group under the Financial Inclusion Global Initiative
ty Assurance Framework report, illustrating how the (FIGI).
security tests can verify the adherence to the best
practices by the application being tested (see Chap-
ter 4 of the report). This methodology will be used in
the DFS Security Lab for security of DFS applications
based on Android platform. The DFS Security Lab
6 Security audit of various DFS applications