Forensic Analysis of Mobile Banking Apps

Abstract

Over the years, the proliferation of mobile banking applications has been on the increase. Financial institutions are taking advantage of mobile technology to provide accessible, ubiquitous, user-friendly, convenient, and cost-effective services to their customers. The mobile banking applications access and process sensitive user data. As such, they are required to manage such data in a high secure manner and run in secure environment. This study conducts a forensic investigation of twelve popular Android m-banking apps in Nigeria to determine if the generated backups by the mobile OS do not save sensitive data; the application removes sensitive data from view when back grounded; sensitive data are not held longer than necessary in the memory, with the memory cleared after use; minimum device access security policies are enforced by the app, and users are educated by the app about the type of PII processed and security best practices in using the app. Our findings revealed that while none of the apps saved sensitive data in generated backup, all except one held data of sensitive value in the memory of the test device and did not enforce any device access security policy. Also, none of the apps removed sensitive data when backgrounded. In addition to serving as a source of information for forensic investigators, we believe our study could assist mobile banking app developers in identifying aspects of the development process that need attention, which would lead to better secured apps.