Helping African fintech companies provide secure services

There is tremendous potential for the growth of financial technology (called “fintech”) in Africa—a continent where almost all transactions are still cash-based. Services like mobile banking and online lending can help to improve individuals’ lives and better connect the consumer economies of Sub-Saharan countries with the rest of the world.

Because of this large area of opportunity, Africa has seen a huge rise in fintech startups. In 2022, McKinsey and Company reported that over the span of only one year, the number of tech startups in Africa had tripled to more than 5,000, and just under half of those companies were fintechs.

Carnegie Mellon University Africa’s Upanzi Network and mobile security company Approov have teamed up to help these fintech companies provide secure services to their customers through a new tool called Android Apps Web Toolkit, or APKIT. This web-based open-source tool scans Android mobile application software for vulnerabilities and security issues and gives these groups a detailed report with recommendations on how to fix any issues found. This is a valuable tool for small organizations, which often don’t have the capacity to hire their own IT security experts.

“Developers are pushing to have their products on the market,” says Emmanuel Hirwa, research associate at CMU-Africa’s Upanzi Network. “Startups can be preoccupied with the development, marketing, and release of their applications and may not stop to consider potential security risks for their users.”

The APKIT developers (Emmanuel Hirwa, Joel Musiime, and Fiacre Giraneza) were inspired by earlier research from the Upanzi Network and Approov, in which researchers assessed security vulnerabilities in African Android applications. The study identified widespread exposure of secret keys created by fintech app developers. Hirwa explains, “We asked ourselves, why can’t we develop a tool that helps developers to assess security during the development of the application and also provide recommendations of how to improve it?”

We asked ourselves, why can’t we develop a tool that helps assess security during the development of the application and provide recommendations of how to improve it?

Emmanuel Hirwa, Research Associate, The Upanzi Network

Currently, APKIT performs static scanning. It scans an Android app’s certificates, app permissions, and secret keys. Secret key vulnerabilities in particular are one of the more common security risks among African Android apps according to Musiime. APKIT also uses a large language model, which provides users with a “detailed recommendation that shows developers where to address the presented security breaches within the specific Android Package Kit file format that is being scanned,” explains Hirwa.

This project started as part of the Upanzi Network externship program, in which student researchers are paired with expert external mentors. Approov’s experts in mobile cybersecurity helped guide the project to address real-world cybersecurity needs in a user-friendly manner.

“This research between the Upanzi Network and Approov has been a strong example of how collaboration can enhance our work and grow our impact,” says Assane Gueye, co-director of the Upanzi Network and CyLab-Africa.

Moving forward, the APKIT team plans to expand their software to also accommodate IOS apps. The end goal is for APKIT to be a singular piece of software that can accommodate multiple platforms and scan for a wide range of potential security threats. By deploying APKIT, the research team will also be able to better understand the landscape of app security by gathering data about the most common issues.