A very welcome addition to Uganda technology scene are the multiple consumer facing apps, from banks, to telecommunication companies to support mobile money services, to parastatals getting closer to their customers. The newest apps that I am aware of include (in no particular order):
- Airtel Money
- My MTN
- NWSC Mobile
- NSSF Go
- Stanbic Bank Mobile Banking
- DFCU Mobile Banking
- Bank of Africa Mobile Wallet (BMW)
- Ask URA
On one hand, this is a very welcome addition to address the increasing sophistication of the Ugandan urban consumer who demands more from the corporations. However a worrying trend which needs to be addressed is the security of these applications, in collecting and managing user information. I have taken to social media to ask for more information on the security setup for these apps, but have never gotten a response.
This is hoping to the regulators, Bank of Uganda, Uganda Communications Commission and NITAU (at the moment) to provide a united front to ensure that the following areas are addressed:
- Excess permissions, one app wanted to access my contacts, SMS messages, WIFI, phone identity yet was not a banking app
- Encryption of data stored on the phone to ensure that if the phone is separated from the owner the data is safe
- Secure connections for communication with external servers – via HTTPS and SSL
- Security audits of back end infrastructure following ISO and COBIT standards (http://www.isaca.org/Journal/archives/2002/Volume-6/Pages/A-Survey-of-Application-Security-in-Current-International-Standards.aspx)
- Penetration, stress and load testing to ensure that aside from
- Software development practices that include OWASP top 10 Proactive Controls for software developers https://www.owasp.org/index.php/OWASP_Proactive_Controls
What else do you see being done to improve the security of our consumer facing applications
Still well within #UGblogDAY sights, sir! And an insightful post, as usual.
I have been thinking about this and I actually went the extra mile of getting some of these apps and decompiling them to have a look at the source code. What I have found is very scary because some banking institutions are actually sending the credentials from the apps over plain http! Some have open APIs where someone can fake a transaction. What should be done to improve the security is hire security conscious developers, give them security criteria that have to be met and also conduct independent audits of these apps to verify that these have been met.
Eric you make a very good point, that is why I see the regulators & technology advisors Bank of Uganda, Uganda Communications Commission and NITAU for financial, telecom and government (including parastatal) sectors as the key players who can come together and set minimum standards, before the situation spirals out of control.
@Eric: Am keen on how you actually decompiled the APKs. I know of ways to do that but would appreciate to compare notes with someone who does this on a security research level. Please share a step by step procedure on how you de-compiled the apps (for Android & iOS). If possible with screenshots.
And for APPs that use http calls, there is no need to decompile them — esp so for Android APKs. All you have to do is install them in an emulator of your choice on your PC and sniff the traffic.
I am green on security issues and when it comes to security of data I completely get lost. It is good that we have people like you who are concerned about the security of out info on phones.
#UGblogDAY
Steven you raise a valid concern about the security of these apps. I’ve refused to install some of these apps because of the excessive permissions that some of them seek. Hearing from Eric that a bank is sending credentials over plain HTTP is scary! Can we have such apps with such glaring holes made public so that we can pressurize the developers/bank to tie up those ends? Not for purposes of “trolling” the bank but for them to secure the apps.