Security Assessment of Mobile Banking Apps in West African Economic and Monetary Union

DIALLO, Alioune; WAR, Aicha; Diouf, Moustapha Awwalou; SAMHI, Jordan; Arzt, Steven; BISSYANDE, Tegawendé; KLEIN, Jacques

doi:10.1109/c4d65382.2025.11306468

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Security Assessment of Mobile Banking Apps in West African Economic and Monetary Union

DIALLO, Alioune; WAR, Aicha; Diouf, Moustapha Awwalou et al.

2025 • In Cybersecurity4D conference

Peer reviewed

Permalink
https://hdl.handle.net/10993/66997

DOI
10.1109/c4d65382.2025.11306468

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Security_Assessment_of_Mobile_Banking_Apps_in_West_African_Economic_and_Monetary_Union.pdf

Publisher postprint (621.57 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Android; mobile banking app; security issue; code smell; vulnerability; WAEMU country; Sub-Saharan Africa

Abstract :

[en] Mobile banking adoption is soaring in Africa, particularly within the West African Economic and Monetary Union (WAEMU) states. These countries have witnessed financial institutions introducing mobile banking applications. These apps empower users to perform money transfers, bill payments, and account inquiries anytime, anywhere. However, this proliferation also raises significant security concerns. Poorly implemented security measures during app development can expose users and financial institutions to substantial financial risks through increased vulnerability to cyberattacks. Our study evaluated fifty-nine WAEMU mobile banking apps using static analysis techniques. We collected these mobile banking apps from the 160 banks and financial institutions of the eight WAEMU countries listed on the Central Bank of West African States (BCEAO) website. We identified security-related code issues that malicious actors could exploit. We investigated the issues found in the older versions to track their evolution across updates. Additionally, we identified some banks from regions such as Europe, the United States, and other developing countries and analyzed their mobile apps for a security comparison with WAEMU banking apps. Key findings include: (1) WAEMU apps exhibit security issues introduced during development, posing significant exploitation risks; (2) Despite frequent updates, underlying security issues often persist; (3) Compared to banking apps from developed countries, WAEMU apps exhibit fewer critical issues; and (4) Apps from banks that are branches of other non-WAEMU banks often inherit concerns from their parent apps while also introducing additional issues unique to their context. Our research underscores the need for robust security practices in WAEMU mobile banking app development to enhance user safety and trust in financial services.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering

Disciplines :

Computer science

Author, co-author :

DIALLO, Alioune ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

WAR, Aicha ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Diouf, Moustapha Awwalou; University of Luxemboug,SnT/TruX,Kirchberg,Luxembourg

SAMHI, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Arzt, Steven; Fraunhofer SIT,Secure Software Engineering,Darmstadt,Germany

BISSYANDE, Tegawendé ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

Security Assessment of Mobile Banking Apps in West African Economic and Monetary Union

Publication date :

25 December 2025

Event name :

2025 Cybersecurity4D (C4D)

Event date :

17-22 August 2025

Audience :

International

Main work title :

Cybersecurity4D conference

Publisher :

IEEE

ISBN/EAN :

979-8-3315-3502-5

Pages :

Peer reviewed :

Peer reviewed

Additional URL :

http://xplorestaging.ieee.org/ielx8/11306377/11306414/11306468.pdf?arnumber=11306468

Name of the research project :

R-AGR-3790 - LuxWays - part UL - BISSYANDE Tegawendé

Available on ORBilu :

since 28 December 2025

Statistics

Number of views

90 (3 by Unilu)

Number of downloads

0 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

B.E.I. (2016) Le secteur bancaire en afrique subsaharienne: Évolutions récentes et inclusion financière numérique. [Online]. Available: https://www.eib.org/attachments/efs/economic_report_ banking_africa_digital_financial_inclusion_fr.pdf
A. Turner. (2024) How many people have smartphones in the world? [Online]. Available: https://www.bankmycell.com/blog/ how-many-phones-are-in-the-world#
Osiris. (2023) En afrique subsaharienne, le taux d’adoption des smartphones atteindra 87% en 2030. [Online]. Available: http://www.osiris.sn/En-Afrique-subsaharienne-le-taux-d.html
Approov. (2023) Security challenges of financial mobile apps in africa. [Online]. Available: https://approov.io/info/ security-challenges-of-financial-mobile-apps-in-africa
A. Diallo, J. Samhi, T. F. Bissyandé, and J. Klein, “(in)security of mobile apps in developing countries: a systematic literature review,” Empirical Software Engineering, vol. 30, no. 5, p. 131, Jul 2025. [Online]. Available: https://doi.org/10.1007/s10664-025-10689-z
E. D. Ansong and T. Q. Synaepa-Addision, “A comparative study of user data security and privacy in native and cross platform android mobile banking applications,” in 2019 International Conference on Cyber Security and Internet of Things (ICSIoT), 2019, pp. 5-10.
A. Uduimoh, I. Idris, O. Osho, and S. Abdulhamid, “Forensic analysis of mobile banking applications in nigeria,” i-manager’s Journal on Mobile Applications and Technologies, vol. 6, pp. 9-20, 06 2019.
O. Osho, U. L. Mohammed, N. N. Nimzing, A. A. Uduimoh, and S. Misra, “Forensic analysis of mobile banking apps,” in Computational Science and Its Applications - ICCSA 2019, S. Misra, O. Gervasi, B. Murgante, E. Stankova, V. Korkhov, C. Torre, A. M. A. Rocha, D. Taniar, B. O. Apduhan, and E. Tarantino, Eds. Cham: Springer International Publishing, 2019, pp. 613-626.
W. P. Review. (2024) Literacy rate by country 2024. [Online]. Available: https://worldpopulationreview.com/country-rankings/ literacy-rate-by-country
S. Castle, F. Pervaiz, G. Weld, F. Roesner, and R. Anderson, “Let’s talk money: Evaluating the security challenges of mobile money in the developing world,” in Proceedings of the 7th Annual Symposium on Computing for Development, ser. ACM DEV’16. New York, NY, USA: Association for Computing Machinery, 2016. [Online]. Available: https://doi.org/10.1145/3001913.3001919
K. Pousttchi and M. Schurig, “Assessment of today’s mobile banking applications from the view of customer requirements,” in 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the. IEEE, 2004, pp. 10-pp.
M. Tufano, F. Palomba, G. Bavota, R. Oliveto, M. Di Penta, A. De Lucia, and D. Poshyvanyk, “When and why your code starts to smell bad (and whether the smells go away),” IEEE Transactions on Software Engineering, vol. 43, no. 11, pp. 1063-1088, 2017.
A. A. Elkhail and T. Cerny, “On relating code smells to security vulnerabilities,” in 2019 IEEE 5th intl conference on big data security on cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing,(HPSC) and IEEE intl conference on intelligent data and security (IDS). IEEE, 2019, pp. 7-12.
M. Ghafari, P. Gadient, and O. Nierstrasz, “Security smells in android,” in 2017 IEEE 17th international working conference on source code analysis and manipulation (SCAM). IEEE, 2017, pp. 121-130.
BCEAO. (2022, june) Paysage bancaire. [Online]. Available: https://www.bceao.int/fr/content/paysage-bancaire
GlobalStats. (2022) Mobile operating system market share in africa. [Online]. Available: https://gs.statcounter.com/os-market-share/mobile/africa/2022
K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon, “Androzoo: Collecting millions of android apps for the research community,” in Proceedings of the 13th International Conference on Mining Software Repositories, ser. MSR’16. New York, NY, USA: ACM, 2016, pp. 468-471. [Online]. Available: http://doi.acm.org/10.1145/2901739.2903508
M. Yuen. (2023) Here are the top 50 biggest european banks in 2023. [Online]. Available: https://www.emarketer.com/insights/largest-banks-europe-list/
G. Villaluz and Z. Gull. (2023) 50 largest us banks by total assets, q3 2023. [Online]. Available: https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/ 50-largest-us-banks-by-total-assets-q3-2023-79625289
B. Finance. (2023) Banking 500 2023 ranking. [Online]. Available: https://brandirectory.com/rankings/banking/2023/table
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus, “Dexpler: converting android dalvik bytecode to jimple for static analysis with soot,” in Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, ser. SOAP’12. New York, NY, USA: Association for Computing Machinery, 2012, p. 27-38. [Online]. Available: https://doi.org/10.1145/2259051.2259056
P. Lam, E. Bodden, O. Lhoták, and L. Hendren, “The soot framework for java program analysis: a retrospective,” in Cetus Users and Compiler Infastructure Workshop (CETUS 2011), vol. 15, no. 35, 2011.
S. Arzt, “Security code smells in apps: Are we getting better?” in Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ser. ESEC/FSE 2022. New York, NY, USA: Association for Computing Machinery, 2022, p. 245-255. [Online]. Available: https://doi.org/10.1145/3540250.3549091
R. Vallee-Rai and L. J. Hendren, “Jimple: Simplifying java bytecode for analyses and transformations,” 1998.
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps,” in ACM SIGPLAN Notices, vol. 49, no. 6. ACM, 2014, pp. 259-269.
J. Samhi, T. F. Bissyandé, and J. Klein, “Androlibzoo: A reliable dataset of libraries based on software dependency analysis,” in Proceedings of the 21st International Conference on Mining Software Repositories, ser. MSR’24. New York, NY, USA: Association for Computing Machinery, 2024, p. 32-36. [Online]. Available: https://doi.org/10.1145/3643991.3644866
O. M. A. Security. Mobile app cryptography. [Online]. Available: https://mas.owasp.org/MASTG/General/0x04g-Testing-Cryptography/#mobile-app-cryptography
GUARDRAILS. Insecure algorithm. [Online]. Available: https://docs.guardrails.io/docs/vulnerability-classes/insecure-use-of-crypto/ insecure-algorithm
T. Mappings, “Cwe-321: Use of hard-coded cryptographic key,” CWE Version 1.11, vol. 629, p. 420, 2010.
CodeQL. Android webview settings allows access to content links. [Online]. Available: https://codeql.github.com/codeql-query-help/java/java-android-websettings-allow-content-access/#
D. Svoboda. (2014, October) Drd04-j. do not log sensitive information. [Online]. Available: https://wiki.sei.cmu.edu/confluence/display/android/DRD04-J.+Do+not+log+sensitive+information
D. Bassolé, G. Koala, Y. Traoré, and O. Sié, “Vulnerability analysis in mobile banking and payment applications on android in african countries,” in Innovations and Interdisciplinary Solutions for Underserved Areas, J. P. R. Thorn, A. Gueye, and A. P. Hejnowicz, Eds. Cham: Springer International Publishing, 2020, pp. 164-175.
J. Bowers, I. N. Sherman, K. R. B. Butler, and P. Traynor, “Characterizing security and privacy practices in emerging digital credit applications,” ser. WiSec’19. New York, NY, USA: Association for Computing Machinery, 2019, p. 94-107. [Online]. Available: https://doi.org/10.1145/3317549.3319723
E.-r. Latifa, E. K. M. Ahemed, and E. G. Mohamed, “Side-effects of permissions requested by mobile banking on android platform: A case study of morocco,” in Proceedings of the 1st International Conference on E-Commerce, E-Business and E-Government, ser. ICEEG’17. New York, NY, USA: Association for Computing Machinery, 2017, p. 76-81. [Online]. Available: https://doi.org/10.1145/3108421.3108433
S. Bojjagani and V. Sastry, “Vaptai: a threat model for vulnerability assessment and penetration testing of android and ios mobile banking apps,” in 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC). IEEE, 2017, pp. 77-86.
S. Bojjagani and V. N. Sastry, “Stamba: Security testing for android mobile banking apps,” in Advances in Signal Processing and Intelligent Recognition Systems, S. M. Thampi, S. Bandyopadhyay, S. Krishnan, K.-C. Li, S. Mosin, and M. Ma, Eds. Cham: Springer International Publishing, 2016, pp. 671-683.
S. Kaka, V. N. Sastry, and R. R. Maiti, “On the mitm vulnerability in mobile banking applications for android devices,” in 2016 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), 2016, pp. 1-6.
B. Reaves, N. Scaife, A. Bates, P. Traynor, and K. R. Butler, “Mo (bile) money, mo (bile) problems: Analysis of branchless banking applications in the developing world,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 17-32.