Security Assessment of Mobile Banking Apps in West African Economic and Monetary Union

The West African Economic and Monetary Union (WAEMU) states, characterized by
widespread smartphone usage, have witnessed banks and financial institutions
introducing mobile banking applications (MBAs). These apps empower users to
perform transactions such as money transfers, bill payments, and account
inquiries anytime, anywhere. However, this proliferation of MBAs also raises
significant security concerns. Poorly implemented security measures during app
development can expose users and financial institutions to substantial
financial risks through increased vulnerability to cyberattacks. Our study
evaluated fifty-nine WAEMU MBAs using static analysis techniques. These MBAs
were collected from the 160 banks and financial institutions of the eight WAEMU
countries listed on the Central Bank of West African States (BCEAO) website. We
identified security-related code issues that could be exploited by malicious
actors. We investigated the issues found in the older versions to track their
evolution across updates. Additionally, we identified some banks from regions
such as Europe, the United States, and other developing countries and analyzed
their mobile apps for a security comparison with WAEMU MBAs. Key findings
include: (1) WAEMU apps exhibit security issues introduced during development,
posing significant risks of exploitation; (2) Despite frequent updates,
underlying security issues often persist; (3) Compared to MBAs from developed
and developing countries, WAEMU apps exhibit fewer critical security issues;
and (4) Apps from banks that are branches of other non-WAEMU banks often
inherit security concerns from their parent apps while also introducing
additional issues unique to their context. Our research underscores the need
for robust security practices in WAEMU MBAs development to enhance user safety
and trust in financial services.