«
»

11 Sep

Bringing Security to the heart of Uganda Consumer Applications 

Posted September 11, 2015 by ssmusoke in current affairs, frugal innovation, mobile computing, mobile technology usage, security, technology. Tagged: , .

A very welcome addition to Uganda technology scene are the multiple consumer facing apps, from banks, to telecommunication companies to support mobile money services, to parastatals getting closer to their customers. The newest apps that I am aware of include (in no particular order):
  1. Airtel Money
  2. My MTN
  3. NWSC Mobile
  4. NSSF Go
  5. Stanbic Bank Mobile Banking
  6. DFCU Mobile Banking
  7. Bank of Africa Mobile Wallet (BMW)
  8. Ask URA
On one hand, this is a very welcome addition to address the increasing sophistication of the Ugandan urban consumer who demands more from the corporations. However a worrying trend which needs to be addressed is the security of these applications, in collecting and managing user information. I have taken to social media to ask for more information on the security setup for these apps, but have never gotten a response.
This is hoping to the regulators, Bank of Uganda, Uganda Communications Commission and NITAU (at the moment) to provide a united front to ensure that the following areas are addressed:
  1. Excess permissions, one app wanted to access my contacts, SMS messages, WIFI, phone identity yet was not a banking app
  2. Encryption of data stored on the phone to ensure that if the phone is separated from the owner the data is safe
  3. Secure connections for communication with external servers – via HTTPS and SSL
  4. Security audits of back end infrastructure following ISO and COBIT standards (http://www.isaca.org/Journal/archives/2002/Volume-6/Pages/A-Survey-of-Application-Security-in-Current-International-Standards.aspx)
  5. Penetration, stress and load testing to ensure that aside from
  6. Software development practices that include OWASP top 10 Proactive Controls for software developers https://www.owasp.org/index.php/OWASP_Proactive_Controls
What else do you see being done to improve the security of our consumer facing applications

6 responses to this post.

  1. Posted by skaheru on September 11, 2015 at 08:07

    Still well within #UGblogDAY sights, sir! And an insightful post, as usual.

    Like

    Reply

  2. Posted by Eric Kamara on September 11, 2015 at 11:05

    I have been thinking about this and I actually went the extra mile of getting some of these apps and decompiling them to have a look at the source code. What I have found is very scary because some banking institutions are actually sending the credentials from the apps over plain http! Some have open APIs where someone can fake a transaction. What should be done to improve the security is hire security conscious developers, give them security criteria that have to be met and also conduct independent audits of these apps to verify that these have been met.

    Liked by 1 person

    Reply

    • Posted by ssmusoke on September 11, 2015 at 20:00

      Eric you make a very good point, that is why I see the regulators & technology advisors Bank of Uganda, Uganda Communications Commission and NITAU for financial, telecom and government (including parastatal) sectors as the key players who can come together and set minimum standards, before the situation spirals out of control.

      Like

      Reply

    • Posted by Brian Benchoff on September 16, 2015 at 07:17

      @Eric: Am keen on how you actually decompiled the APKs. I know of ways to do that but would appreciate to compare notes with someone who does this on a security research level. Please share a step by step procedure on how you de-compiled the apps (for Android & iOS). If possible with screenshots.

      And for APPs that use http calls, there is no need to decompile them — esp so for Android APKs. All you have to do is install them in an emulator of your choice on your PC and sniff the traffic.

      Like

      Reply

  3. Posted by thewayoutcommunity on September 11, 2015 at 14:31

    I am green on security issues and when it comes to security of data I completely get lost. It is good that we have people like you who are concerned about the security of out info on phones.

    #UGblogDAY

    Like

    Reply

  4. Posted by JoshTwin (@josh_twin) on September 15, 2015 at 17:40

    Steven you raise a valid concern about the security of these apps. I’ve refused to install some of these apps because of the excessive permissions that some of them seek. Hearing from Eric that a bank is sending credentials over plain HTTP is scary! Can we have such apps with such glaring holes made public so that we can pressurize the developers/bank to tie up those ends? Not for purposes of “trolling” the bank but for them to secure the apps.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: