UPDATED 14/8: A survey of branchless banking apps in the developing world by the University of Florida discovered vulnerabilities that could leave users open to fraud, as well as “unfair” terms of service.
The researchers first performed an automated analysis of all 46 known Android-based money apps across 246 mobile money providers but said such an approach failed to provide “reliable insights”.
Instead, the researchers opted for a manual teardown of the registration, login and transaction procedures on seven of the apps, balancing popularity with geographic representation in what they say is the first comprehensive analysis of such apps.
The seven apps examined were Airtel Money in India, Thailand’s mPay, Oxigen Wallet also from India, the Phillipines’ GCash, Brazil’s Zuum, MoneyOnMobile, the third Indian app and mCoin, which is from Indonesia.
“We uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records,” said the researchers.
“These findings confirm that the majority of these apps fail to provide the protections needed by financial services,” the survey added.
Significant vulnerabilities were found in six of the seven apps. The exception was Zuum, an app built by a partnership between MasterCard and Telefonica for the Brazilian market which did not have the major problems of its peers.
However, at least one of those surveyed disagrees with the conclusions of the survey. Bharti Airtel told Mobile World Live that the research was carried out on the myairtel app, its recharge app, and not the airtel money app, which is the official mobile money app. This meant that the app tested (the myairtel one) did not have features like money transfers to bank accounts.
Crucially, the operator adds, the impression is given that serious vulnerabilities exist on the app today. However, the research was carried out in October 2014.
Since then the operator has introduced several updates and new features on the airtel money app designed to enhance customer experience and provide a safe and reliable platform. Airtel says its app meets the best industry standards and security practices. Furthermore, it periodically carries out internal and external IT security audits (including CISA).
The researchers also have a point to make about the apps’ terms of service which, they say, places liability for any security breaches unfairly on the subscribers. For example, US consumers are not held liable for fraudulent transactions beyond a small amount. However, six of the seven hold users solely responsible for most forms of fraudulent activity.
“The presumption of customer fault for transactions is at odds with the findings of this work. The basis for these arguments appear to be that, if a customer protects their PIN and protects their physical device, there is no way for a third party to initiate a fraudulent transaction. We have demonstrated that this is not the case,” it said.
Putting liability onto the user risks undermining trust in branchless banking which has an important part to play around the world in financial inclusion, the survey concludes.