Evaluating Mobile Banking Application Security Posture Using the OWASP’s MASVS Framework
Authors: 
Trevor Henry Chiboora, Lenah Chacha, Theoneste Byagutangaza, Assane GueyeAuthors Info & Claims
Trevor Henry Chiboora, Lenah Chacha, Theoneste Byagutangaza, Assane GueyeAuthors Info & ClaimsPages 99 - 106
Abstract
In the context of financial gain, hackers are motivated to exploit vulnerabilities that could result in financial or data loss. Therefore, it is crucial for financial applications to undergo thorough testing to identify and address such vulnerabilities. Regrettably, many financial institutions neglect proper testing procedures and sometimes even fail to establish a suitable security release baseline. This report presents an analysis of 18 mobile applications, each belonging to a different financial institution in Africa. The selection of these applications was carefully executed, considering institutions of varying sizes, to enable a comparative assessment of security practices across different organizational scales. The assessment was conducted by evaluating the sampled applications against the Mobile Application Security Verification Standard v2.0. This is a set of checklists and guidelines by the Open Web Application Security Project (OWASP) used as a baseline for mobile application security. Due to the extensive nature of the project, the testing scope was limited to the application itself, as experienced by the end user. This included examining the application’s interaction with the back-end server and observing its behavior on the user’s mobile device. It is important to note that this report does not provide a comprehensive analysis, as it excludes the assessment of the server-side API and testing of business logic that requires elevated privileges within the application. Furthermore, a survey was conducted to gain insights into why developers may neglect baseline security thereby introducing potential vulnerabilities in mobile applications. The findings of this survey are also included in a short summary at the end of this document.
References
[1]
[1] https://www.worldbank.org/en/topic/financialinclusion/overview
[2]
[2] Mobile Privacy: What Do Your Apps Know About You?", Symantec-enterprise-blogs.security.com https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-privacy-apps
[3]
[3] Application sandbox Android Open Source Project. https://source.android.com/docs/security/app-sandbox
[4]
[4] OWASP MASVS (Mobile Application Security Verification Standard) https://mas.owasp.org/MASVS/
[5]
[5] Android API Levels https://apilevels.com/
[6]
[6] Android ABIs https://developer.android.com/ndk/guides/abis
[7]
[7] android:debuggable https://developer.android.com/topic/security/risks/android-debuggable
[8]
[8] Binary Protection Mechanisms https://mas.owasp.org/MASTG/General/0x04h-Testing-Code-Quality/#dynamic-analysis-security-testing-considerations_1
[9]
[9] Financial Inclusion https://www.worldbank.org/en/topic/financialinclusion/overview#2
[10]
[10] Fintech in Africa: The end of the beginning August 2022 McKinsey & Company
Index Terms
- Evaluating Mobile Banking Application Security Posture Using the OWASP’s MASVS Framework
Recommendations
OWASP inspired mobile security
BIBM '15: Proceedings of the 2015 IEEE International Conference on Bioinformatics and Biomedicine (BIBM)As mobile users continue to trust their devices with sensitive data, it is important to assess the applications that are responsible for securing it. Healthcare related applications are particularly unique because of their involvement with the storage ...
Role of mobile banking in financial inclusion: evidence from agri traders of India
Financial inclusion is the driving force for growth in emerging markets of the world. It boosts the process of development and poverty alleviation for any economy. Most of the banks utilise an expensive brick and mortar model; therefore, mobile banking ...
Security framework for mobile banking
MoMM '10: Proceedings of the 8th International Conference on Advances in Mobile Computing and MultimediaThe banking sector is always looking for new services delivery platforms to improve customer confidence and satisfaction. To achieve this, the banking service delivery platform must provide end-to-end security to safeguard the information exchange ...
Comments
Information & Contributors
Information
Published In
August 2023
170 pages
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
COMPASS '23: ACM SIGCAS/SIGCHI Conference on Computing and Sustainable Societies
August 16 - 19, 2023
Cape Town, South Africa
Acceptance Rates
Overall Acceptance Rate 25 of 50 submissions, 50%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 555Total Downloads
- Downloads (Last 12 months)555
- Downloads (Last 6 weeks)115
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View allView Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in