The rapid digitalization of the Sudanese financial sector has precipitated a surge in Mobile Banking Applications (MBAs); however, this growth has frequently outpaced rigorous security auditing. This study provides a comprehensive technical audit of the four most widely used Sudanese MBAs( Bankak, Fawry, Okash, and Sahil )collectively serving a user base of over 1.6 million. Utilizing Static Application Security Testing (SAST) via the Mobile Security Framework (MobSF) and Quixxi, the applications were evaluated against the OWASP Mobile Application Security Verification Standard (MASVS). Findings were mapped to Common Weakness Enumeration (CWE) identifiers to identify systemic vulnerabilities. Analysis revealed critical disparities in security posture. Bankak, the market leader, exhibited the highest risk profile (12 vulnerabilities), including a critical absence of SSL certificate pinning and unsafe TrustManager implementations, rendering it highly susceptible to Man-in-the-Middle (MitM) attacks. While Fawry demonstrated relative maturity (7 vulnerabilities), a universal failure was observed across all four applications regarding secure random number generation (CWE-330), potentially compromising session token integrity. Additionally, Bankak and Okash were found to utilize deprecated cryptographic algorithms (MD5/SHA-1). Notably, all applications successfully disabled ADB backups, yet 100% retained verbose debugging symbols in production APKs, significantly lowering the barrier for reverse engineering. This research addresses a critical gap in the national fintech ecosystem by providing actionable technical recommendations for developers and a strategic roadmap for implementing "security-by-design" principles across the sector.

翻译：苏丹金融部门的快速数字化推动了移动银行应用（MBA）的激增；然而，这一增长常常超前于严格的安全审计。本研究对苏丹最广泛使用的四款移动银行应用（Bankak、Fawry、Okash 和 Sahil）进行了全面的技术审计，这些应用共同服务于超过160万用户。通过移动安全框架（MobSF）和 Quixxi 进行的静态应用安全测试（SAST），依据 OWASP 移动应用安全验证标准（MASVS）对应用进行了评估。研究结果映射到通用缺陷枚举（CWE）标识符，以识别系统性漏洞。分析揭示了安全态势的关键差异。市场领导者 Bankak 表现出最高的风险状况（12个漏洞），包括缺少 SSL 证书绑定和不安全的 TrustManager 实现，使其极易受到中间人（MitM）攻击。尽管 Fawry 表现出相对成熟（7个漏洞），但所有四款应用在安全随机数生成方面（CWE-330）均观察到普遍失败，这可能导致会话令牌完整性受损。此外，发现 Bankak 和 Okash 使用了已弃用的加密算法（MD5/SHA-1）。值得注意的是，所有应用均成功禁用了 ADB 备份，但100%的生产 APK 中保留了冗长的调试符号，大大降低了逆向工程的门槛。本研究通过为开发者提供可操作的技术建议，并为在整个行业实施“安全设计”原则制定战略路线图，填补了国家金融科技生态系统中的一个关键空白。