How secure is your digital wallet? A security assessment of major e-wallet applications in Mauritania.

Mauritania has recently experienced incredible growth in digital payment solutions (ewallets). At TIDUM, we consider evaluating these applications from a security perspective as a public service for the consumers and developers behind these applications. Our main motivation is to increase consumer confidence in these solutions and to help developers improve the quality of their solutions. From a selfish point of view, these kinds of assessments are an intellectual exercise that we enjoy as security researchers.

In this blog post, we present a high-level summary of the security assessment we conducted. We will not disclose any vulnerabilities that may exist in these applications to prevent a bad actor from exploiting them.

The study covers the four oldest e-wallets available on the market. These applications offer similar (or even identical) business functionalities but differ in the technologies used and the maturity of the developers behind them. The technologies used for the development of these applications are mainly:


We are basing our assessment on the reference security standards and best practices published by world renown organizations such OWASP, SENSE, PCI SSC and ETA. All of this organization concord that good mobile applications security should cover the three following area:

  1. Software Security
  2. Security policies
  3. Infrastructure security and monitoring

Software Security

Prevention is better than cure.

The main objective here is to have prevention mechanisms implemented at the software level. This will help the application reduce its attack surface. The main techniques used to achieve this are:

Security policies

Humans are the weakest link in cybersecurity.

In addition to building security measures into the application code, security policies are needed to reduce the risk that can be created by having publicly accessible applications. The e-wallet application is used by a wide variety of people (not necessarily people aware of security risks) and the needs for usability and simplicity can sometimes take precedence over security requirements. For these types of applications, it is important to implement security policies and review them continuously. The most important policies are:

Infrastructure Security and Monitoring

Cybersecurity is like an Onion, there’s layers …

In the age of web applications, it is recommended that any security implementation follow a layered approach. One of these layers should cover the following tools and measures:


For the purposes of this assessment, we have studied, in the light of the above methodology, the vulnerability of four e-wallets to the most common attacks. The assessment was conducted on versions of these applications that were publicly available before the end of October 2022. This produced the following compliance table. In this table, we use a 0-5 ⭐ rating scale to rate each of the security policies and measures:

Application Security
Data encryption ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Extra Data Encryption . ⭐ ⭐ ⭐ ⭐ . .
Certificate validation ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Multi-factor authentication . . ⭐ ⭐ ⭐ ⭐ .
Reverse engineering protection . ⭐ ⭐ ⭐ . .
Anti-Tampering . . ⭐ ⭐ .
Device Fingerprint ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ . .
Insecure design ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Security policies
PIN/Password Policy
Complexity ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Attempts ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Lockout ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
OTP Policy
Expiration . ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Complexity ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Attempts . ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Password Reset Policy
OTP ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ . ⭐ ⭐ ⭐ ⭐ ⭐
Security question . ⭐ ⭐ ⭐ . ⭐ ⭐
Infrastructure Security and Monitoring
WAF ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ . .
Monitoring . . . .
Infra hardening ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐ ⭐
Based on this assessment, we have found that all applications are vulnerable to a denial of service attack. Providers must ensure that they are able to detect and respond to these attacks quickly to prevent the disruption of their customers’ financial activity. This is essential because conducting these attacks requires few resources and the resulting disruptions could lead to loss of money. Another major finding, in the case of at least two apps, is that OTP authentication can be bypassed and PIN passwords can be guessed using brute force. We recommend here that prevention and monitoring solutions be put in place to mitigate the risk associated with these findings. The following table lists the summary of the major findings by applications.

Deny Of Service
OTP Bypass
PIN brute Force
Unauthorized PIN reset
Hardcoded sensistive data


Security is a continuous process. The assessment we conducted here is a black box assessment. It aimed to test the basic security of the e-wallet application. We are glad that we did not find any critical vulnerabilities, but this cannot guarantee the absence of such vulnerabilities. With the emergence of APT groups and their growing interest in developing countries, the presence of any vulnerability, no matter how critical, can lead to the complete compromise of a system.

We recommend that product owners of these e-wallets not only conduct a comprehensive assessment of their application, but also of their internal corporate networks. A compromise of these networks can be the first step in an attack leading to the compromise of the e-wallet application. There is also a need to implement a continuous security monitoring solution. This will give them visibility and help them detect attacks in advance and respond to security incidents in a timely manner.

Get In Touch with us!