Security of Android Applications in Developing Regions

Mobile apps are increasingly becoming the targets of attackers with the development of a huge number of mobile malware to exploit breaches worldwide. Governments and institutions are taking initiatives to block these practices, protecting critical institutions and safeguarding users. In developing countries, key sectors such as education, finance, agriculture, and healthcare increasingly rely on mobile applications running on handheld and low-cost devices to deliver essential services, enabling a leapfrogging effect in these sectors. However, these regions often face unique challenges, including limited cybersecurity infrastructure, lower digital literacy rates, and a higher prevalence of mobile-targeted cyber threats. Mobile application security has become a pressing concern where the impact of security breaches is amplified by the widespread use of low-end devices, limited supervision of pre-installed software, and the vulnerabilities found in critical applications. In Africa, for instance, mobile banking adoption is rapidly expanding, particularly within the West African Economic and Monetary Union (WAEMU) states, where financial institutions offer apps that enable users to transfer money, pay bills, and check balances at any time and from anywhere. Yet, this rapid proliferation of smartphones and applications raises critical security concerns. Poorly implemented security mechanisms during app development and deployment can expose users to significant privacy risks.
In this manuscript, we first conduct a systematic literature review to assess the current state of research on mobile application security within developing country contexts. Our investigation reveals a limited number of publications addressing this topic, suggesting a narrow academic focus. The findings underscore the need for more specialized research and tailored methodologies that address the unique security challenges of mobile ecosystems in developing regions.
Addressing the research gaps identified in the literature review, we examine pre-installed applications on low-cost Android smartphones widely distributed across Africa, including itel, Tecno, and Infinix devices. We developed PiPLAnD, a tool that extracts APK files directly from physical devices and performs static analysis on them. We analyze nine (9) low-cost devices to detect sensitive data leaks, manifest misconfigurations, and suspicious behaviors. The findings highlight that pre-installed software on low-cost smartphones can pose significant and widespread security and privacy risks.
Finally, we focus on financial applications from WAEMU financial institutions. Using static analysis, we evaluate 59 Android banking apps collected from 160 banks and financial institutions listed by the Central Bank of West African States. Our analysis reveals several security flaws introduced during development, some persist across multiple updates despite regular maintenance. To provide a broader perspective, we compare these findings with banking apps from Europe, the United States, and other developing countries, revealing that WAEMU apps generally exhibit fewer critical issues but still present persistent weaknesses. Furthermore, we observe that WAEMU apps developed as local branches of foreign banks often inherit vulnerabilities from their parent applications while introducing new, context-specific issues.
In conclusion, this thesis provides a comprehensive view of mobile application security challenges in developing regions, with a particular focus on Africa. It highlights systemic issues arising from both pre-installed software ecosystems and financial applications, demonstrating the urgent need for stronger regulatory supervision, improved security practices during app development, and region-specific tools and methodologies to safeguard users’ data and privacy. This work seeks to shed light on this invisible dimension of digital inequality and to contribute methods for assessing, measuring, and mitigating these risks. In doing so, it argues that true digital inclusion must go beyond access, it must ensure that the technologies enabling it are also trustworthy.