Approov and Carnegie Mellon University Africa’s Upanzi Network have teamed up again to help fintech companies provide more secure services to their customers by creating a new web-based open source tool which scans Android mobile application software for vulnerabilities and security issues and present a detailed report with recommendations on how to fix any issues found. The new tool, APKIT, is available here. 

Long and Fruitful Collaboration 

Approov started working with Carnegie Mellon University Africa in the spring of 2023 and since then has continued the relationship, providing mentorship and support to the CMU Africa team.

There is tremendous potential for the growth of mobile apps for essential services in Africa, in particular fintech — Africa is a continent where almost all transactions are still cash-based. Services like mobile banking and online lending can help to improve individuals’ lives and better connect the consumer economies of Sub-Saharan countries with the rest of the world. 

It is therefore no surprise that Africa has seen a huge rise in fintech startups. In 2022, McKinsey and Company reported that over the span of only one year, the number of tech startups in Africa had tripled to more than 5,000 and just under half of those companies were fintechs. 

Approov and CMU Africa have been focussing on this issue jointly since 2023.

Previous Collaboration Highlights Security Issues with Finance Apps

The availability of the APKIT scanning tool is a direct consequence of previous research carried out by the team in 2023 which uncovered security issues with widely deployed financial services apps in Africa.  

Unfortunately, this research revealed a broad range of security issues which undermine the security of mobile app deployment. Secrets and keys were easily found in mobile app code: encryption keys for securing sensitive data, authentication keys for accessing services, and signing keys for verifying data authenticity. Additionally, database credentials, OAuth client secrets, push notification keys, code push keys, payment gateway secrets, encryption initialization vectors, license keys, and sensitive configuration settings were found. 

Although this particular research was focused on Africa, the intent was that the report should provide valuable guidance for policymakers, developers, and security professionals worldwide, and aid in the formulation of targeted strategies to enhance the security posture of financial applications on a global scale.

As a next step the joint CMU Africa and Approov team decided to do something concrete to help the community improve security and developed a vulnerability scanning tool which uses AI and which app developers can use free of charge. 

New Scanning Tool to Help App Developers Isolate Issues Quickly

The APKIT developers (Emmanuel Hirwa, Joel Musiime, and Fiacre Giraneza) were inspired by earlier research from the Upanzi Network and Approov, in which researchers assessed security vulnerabilities in African Android applications. The study identified widespread exposure of secret keys created by fintech app developers. Hirwa explains, “We asked ourselves, why can’t we develop a tool that helps developers to assess security during the development of the application and also provide recommendations of how to improve it?” 

APKIT performs static scanning. It scans an Android app’s certificates, app permissions, and secret keys. Secret key vulnerabilities in particular are one of the more common security risks among African Android apps. APKIT also uses a large language model, which provides users with a detailed recommendation that shows developers where to address the presented security breaches within the specific Android Package Kit file format that is being scanned. 

“Developers are pushing to have their products on the market,” says Emmanuel Hirwa, research associate at CMU-Africa’s Upanzi Network. “Startups can be preoccupied with the development, marketing, and release of their applications and may not stop to consider potential security risks for their users.” 

Ted Miracco, the CEO of Approov, who is a CMU alumni, says “This will prove to be a very valuable tool for small organizations, which often don’t have the capacity to hire their own IT security experts. This tool helps them highlight the issues they should fix first”. 

Next Steps for Approov and CMU Africa Upanzi Network

This project started as part of the Upanzi Network externship program, in which student researchers are paired with expert external mentors. Approov’s experts in mobile cybersecurity helped guide the project to address real-world cybersecurity needs in a user-friendly manner. Future projects will continue in the same way.

“This research between the Upanzi Network and Approov has been a strong example of how collaboration can enhance our work and grow our impact,” says Assane Gueye, co-director of the Upanzi Network and CyLab-Africa. 

Moving forward, the APKIT team plans to expand their software to also accommodate IOS apps. The end goal is for APKIT to be a singular piece of software that can accommodate multiple platforms and scan for a wide range of potential security threats. By deploying APKIT, the research team will also be able to better understand the landscape of app security by gathering data about the most common issues.

Try the tool yourself on your mobile apps, and contact Approov if you want to discuss your particular mobile app use-case with us.

*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by George McGregor. Read the original post at: https://blog.approov.io/apkit-enhancing-mobile-app-security-with-ai-driven-scanning-tool