Evaluating Mobile Banking Application Security Posture Using the OWASP's MASVS Framework

In the context of financial gain, hackers are motivated to exploit vulnerabilities that could result in financial or data loss. Therefore, it is crucial for financial applications to undergo thorough testing to identify and address such vulnerabilities. Regrettably, many financial institutions neglect proper testing procedures and sometimes even fail to establish a suitable security release baseline. This report presents an analysis of 18 mobile applications, each belonging to a different financial institution in Africa. The selection of these applications was carefully executed, considering institutions of varying sizes, to enable a comparative assessment of security practices across different organizational scales. The assessment was conducted by evaluating the sampled applications against the Mobile Application Security Verification Standard v2.0. This is a set of checklists and guidelines by the Open Web Application Security Project (OWASP) used as a baseline for mobile application security. Due to the extensive nature of the project, the testing scope was limited to the application itself, as experienced by the end user. This included examining the application's interaction with the back-end server and observing its behavior on the user's mobile device. It is important to note that this report does not provide a comprehensive analysis, as it excludes the assessment of the server-side API and testing of business logic that requires elevated privileges within the application. Furthermore, a survey was conducted to gain insights into why developers may neglect baseline security thereby introducing potential vulnerabilities in mobile applications. The findings of this survey are also included in a short summary at the end of this document.