Mobile money is the backbone of consumer finance across much of Africa, and East Africa is its deepest market. The GSMA's State of the Industry Report on Mobile Money 2026 counts 2.3 billion registered accounts globally and more than $2 trillion in transaction value in 2025, with East Africa the largest regional market at $806 billion. Safaricom's FY25 results alone put M-PESA at 35.8 million one-month active customers and KSh 38.3 trillion in annual transaction value. This scale, combined with the speed of settlement and the diversity of access channels (USSD, apps, APIs), creates a rich target for attackers and difficult security trade-offs for operators.
This article covers how we approach security testing for mobile money platforms: the unique attack surface, the vulnerabilities we find, and what a thorough assessment covers.
Why mobile money is a high-value target
Mobile money platforms are attractive to attackers for several reasons:
- Transaction speed: Unlike bank transfers, mobile money transactions settle in seconds. Fraudulent transactions can be irreversible before anyone notices.
- Scale: Millions of daily users and transactions mean that even small per-transaction vulnerabilities can be exploited at massive scale.
- Agent network complexity: Mobile money relies on extensive agent networks with variable security controls, creating entry points that are hard to secure centrally.
- Multiple access channels: USSD, mobile app, web portal, merchant API, and agent interface all need separate security assessments.
- SIM swap vulnerability: SIM-based authentication is fundamental to mobile money, but SIM swap fraud is prevalent across African markets.
The mobile money architecture
A typical mobile money platform consists of several interconnected components, each with its own attack surface:
- USSD gateway: The core interaction channel for feature phone users. Sessions are short-lived and text-based, but transaction logic runs through this channel.
- Mobile application (Android/iOS): Higher capability interface with additional features and attack vectors.
- Core platform (transaction engine, wallet management): The backend system processing all transactions. Usually vendor-supplied (e.g., Huawei Mobile Money Platform, Comviva mobiquity).
- Management API: Used by agents, merchants, and internal systems. Often the highest-risk API endpoint.
- Third-party integrations: Bank partner APIs, merchant payment APIs, government service integrations.
- Telco infrastructure: SIM card management, subscriber databases, HLR (Home Location Register), under the telco's control but in scope for a full-platform assessment.
USSD-specific vulnerabilities
USSD is a critical and often overlooked attack surface. Our dedicated USSD testing methodology covers:
Session management flaws
USSD sessions are stateful but short-lived. Weak session ID generation, failure to invalidate sessions after timeout, and session fixation attacks can allow attackers to inject into an active transaction. A session ID format predictable enough to guess lets an attacker hijack a session mid-transaction.
Transaction flow manipulation
USSD menus implement complex multi-step transaction flows. Sending crafted USSD strings that skip expected menu states, or replay confirmed transactions, can bypass authorisation steps or double-process transactions.
Enumeration attacks
USSD balance-check and account-lookup features often leak whether a phone number is a registered customer, enabling mass enumeration of account holders for targeted fraud campaigns.
PIN brute-forcing
Many USSD platforms have weak rate limiting on PIN verification, allowing automated brute-force attacks against 4-digit PINs (only 10,000 combinations).
For a deep dive, see our dedicated article: USSD security testing: how we assess mobile USSD and mobile money platforms.
Mobile application security testing
The mobile app (Android and/or iOS) is tested using a combination of static analysis, dynamic analysis, and traffic interception:
Static analysis
We decompile and analyse the application source code and resources. We look for hardcoded credentials, API keys, sensitive strings in the APK/IPA, insecure cryptographic implementations, and debug features left enabled in production builds.
Dynamic analysis
Running the application on a controlled device (rooted Android, jailbroken iOS), we observe runtime behaviour: file system writes, memory contents, network traffic, and inter-process communication. We test for insecure data storage, including PIN codes, session tokens, or transaction data written to the device in cleartext. The same methodology applies to banking apps; see our article on mobile banking security assessments.
Traffic interception
All API traffic between the app and the backend is intercepted and analysed. We test the app's certificate pinning implementation and attempt to bypass it. We then replay and modify captured requests to test for authorisation bypass and business logic flaws.
API and backend testing
The most critical component of a mobile money security assessment is the backend API. This is where transaction logic lives, and vulnerabilities here are the most impactful. Our API security testing for banking and fintech article covers the methodology in depth; for mobile money platforms we test for:
- Broken object-level authorisation (BOLA/IDOR): Can one customer query or modify another customer's account by changing a parameter?
- Broken function-level authorisation: Can a regular user access admin or agent-level functions?
- Mass assignment: Can a request manipulate object properties (e.g., transaction amount) through parameters not intended to be user-controlled?
- Replay attacks: Can a completed transaction request be resent to duplicate a payment?
- Rate limiting: Are transaction endpoints protected against automated fraud scripts?
- Authentication weaknesses: Token expiry, refresh token security, OAuth implementation flaws.
What our mobile money assessment covers
A full mobile money security assessment from IMIZI Cyber includes:
- Scope definition and threat modelling: understanding your platform architecture and the attacker personas relevant to your environment
- USSD gateway testing (session management, flow manipulation, enumeration)
- Mobile application testing for Android (and iOS if applicable)
- Backend API penetration testing (OWASP API Security Top 10)
- Agent portal and merchant API testing
- Integration testing (bank partner APIs, payment processors)
- Authentication and authorisation deep-dive
- Detailed report with severity ratings, proof of concept, and remediation guidance
- Debrief call with your technical team
- Re-test of critical and high findings after remediation, included in the engagement
Regulatory requirement: BNR Regulation N°50/2022 requires BNR-supervised institutions, including licensed payment service providers and mobile money operators, to run a penetration test at least annually and vulnerability assessments at least twice a year, with results filed with the National Bank of Rwanda within 15 days. A mobile money security assessment from IMIZI Cyber supplies the technical evidence this regulation requires, in a report your compliance team can file.
For the full picture of what the regulation asks of supervised institutions, see our guide to BNR cybersecurity requirements.
Common findings in mobile money assessments
The critical and high findings that recur in mobile money assessments include:
- IDOR on account balance and transaction history endpoints: accessing other customers' data by changing a phone number or account ID parameter
- Lack of rate limiting on PIN verification, enabling brute-force attacks
- Sensitive data (session tokens, transaction logs) stored in cleartext on device
- Broken certificate pinning, allowing easy traffic interception with basic tools
- Missing transaction idempotency checks, enabling transaction replay
- USSD session fixation allowing mid-transaction hijacking
- Insecure direct object references in agent management APIs
How we can help
IMIZI Cyber is an offensive security firm based in Kigali, testing mobile money platforms for operators, banks, fintechs, and telecoms across Africa. Our testing is led by an OSCP-credentialled practitioner with engagement history inside financial institutions, including a pan-African banking group. Our team understands USSD gateway architecture, agent network security, and the business logic that attackers exploit in mobile money environments. We test it, and we write the report that maps every finding to a fix.
For details on our testing methodology and deliverables, see our penetration testing service page. If your platform has not been tested by people who understand these systems from the inside, contact us to scope an assessment.