October 12, 2023 at 06:26AM
Researchers at Approov have discovered that encryption, authentication, and signing keys are frequently exposed in mobile fintech apps used in Africa. The study found that when the top 10 revenue and download-generating apps were reverse-engineered, passwords, API keys, and private keys for cryptography were exposed. The researchers also identified that cryptocurrency apps were the most insecure, followed by personal finance and payment and transfer apps. The exposure of these keys could lead to unauthorized access and compromised user privacy. Approov CEO, Ted Miracco, stressed the importance of implementing end-to-end security in fintech apps.
According to meeting notes, researchers at Approov have found that encryption, authentication, and signing keys are frequently exposed in mobile fintech apps used in Africa. The research focused on the top 10 apps based on revenue and downloads, including those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services. The study revealed that crypto apps were the most vulnerable, with 33.3% rated as high risk and 53.3% as medium risk. These apps exposed private keys, keys for payment or transfer services, and “authentication” or “attestation” keys, which could lead to unauthorized access, data breaches, and compromised user privacy. Personal finance apps and payment and transfer apps were also found to have significant security risks. The researchers collected each app’s ID and reverse-engineered them to identify exposed cryptographic API keys, private keys, and passwords. Exposing these API keys can result in unauthorized usage and potential disruptions. It was recommended that app developers move these keys out of the app and into the cloud for better security. CEO of Approov, Ted Miracco, emphasized the importance of building end-to-end security into fintech apps, as financial services become more digitized and accessible through mobile platforms worldwide.