Bringing Security to the heart of Uganda Consumer Applications
A very welcome addition to Uganda technology scene are the multiple consumer facing apps, from banks, to telecommunication companies to support mobile money services, to parastatals getting closer to their customers. The newest apps that I am aware of include (in no particular order):
- Airtel Money
- My MTN
- NWSC Mobile
- NSSF Go
- Stanbic Bank Mobile Banking
- DFCU Mobile Banking
- Bank of Africa Mobile Wallet (BMW)
- Ask URA
On one hand, this is a very welcome addition to address the increasing sophistication of the Ugandan urban consumer who demands more from the corporations. However a worrying trend which needs to be addressed is the security of these applications, in collecting and managing user information. I have taken to social media to ask for more information on the security setup for these apps, but have never gotten a response.
This is hoping to the regulators, Bank of Uganda, Uganda Communications Commission and NITAU (at the moment) to provide a united front to ensure that the following areas are addressed:
- Excess permissions, one app wanted to access my contacts, SMS messages, WIFI, phone identity yet was not a banking app
- Encryption of data stored on the phone to ensure that if the phone is separated from the owner the data is safe
- Secure connections for communication with external servers - via HTTPS and SSL
- Security audits of back end infrastructure following ISO and COBIT standards (http://www.isaca.org/Journal/archives/2002/Volume-6/Pages/A-Survey-of-Application-Security-in-Current-International-Standards.aspx)
- Penetration, stress and load testing to ensure that aside from
- Software development practices that include OWASP top 10 Proactive Controls for software developers https://www.owasp.org/index.php/OWASP_Proactive_Controls
What else do you see being done to improve the security of our consumer facing applications