Digital lending apps have transformed how people access credit in emerging markets, offering quick loans at the tap of a screen. But for many users, these apps carry hidden risks, ranging from aggressive harassment to privacy violations. As smartphones become the primary gateway to financial services in emerging markets, a Boston University PhD candidate uncovered how the data of millions of users—and even their safety—can be put at serious risk.
Olawale Akanji, a third-year PhD student advised by Manuel Egele and Gianluca Stringhini, recently earned the CISE Best Paper Award for his paper, “The Cost of Convenience: Identifying, Analyzing, and Mitigating Predatory Loan Applications on Android.” Akanji, who first published the paper at ASIA CCS ‘26, focuses his research on security and privacy in Android applications. He became inspired to pursue this study by observing digital loan apps in his home country.
“Coming from Nigeria, I witnessed firsthand the damage these apps can do,” he said. “Some would send bulk messages to all of a user’s contacts if a loan wasn’t repaid in seven days. People’s private information was shared publicly—reputations were ruined.”
This paper exposed widespread privacy violations in Android loan applications across Indonesia, Kenya, Nigeria, Pakistan, and the Philippines—countries where smartphones are increasingly the primary financial platform. Early in his research, Akanji focused on understanding how these apps exploit the Android permission system. Many apps requested access to contacts, SMS, and call logs—sometimes beyond what regulations allowed—taking advantage of the fact that most users simply accept permission requests without fully understanding the privacy and security implications of granting such broad access. His first projects examined these mechanisms in detail, analyzing how custom permissions in the Android ecosystem expose users to privacy breaches.
He discovered that regulatory frameworks, while in place, were often ineffective and easy to bypass. “Google came up with a regulation to guide the operations of these platforms, but the apps were able to circumvent them,” Akanji explained. For example, an app might avoid requesting access to contacts directly—as prohibited by law—but still collect the same information through call log permissions. “This clever method lets them technically stay within regulations while still collecting data,” he said.
Akanji’s research project, LoanWatch, systematically evaluated 435 apps through a three-phase approach combining large language models, static code analysis, and dynamic runtime testing. First, large language models analyze regulatory documents to identify the exact data types apps are prohibited from accessing. Then, static analysis checks app code for evidence of data collection practices tied to these sensitive permissions. Finally, dynamic testing confirms whether the app actually collects and transmits user data during operation.
These pipelines allowed Akanji’s team to build a chain of evidence linking app behavior to regulatory violations. Across their analysis, roughly 30% of apps approved on Google Play in certain countries were found to circumvent rules in ways that exposed sensitive data. The findings not only highlight gaps in enforcement but also show the potential for using the same technology to proactively protect users.
“Regulations exist to protect users. These policies should be enforced proactively, not reactively,” Akanji said. By providing tools to detect these violations before users are affected, Akanji’s research advocates for pre-emptive enforcement of privacy and security policies. The approach could also be applied to other app categories that handle sensitive data, such as health and financial services, and across emerging markets in Latin America, Asia, Africa, and beyond.
One of Akanji’s advisors, CISE Faculty Affiliate and Associate Professor Gianluca Stringhini (ECE), emphasized the broader significance of the work, noting that cybersecurity research is often criticized for being Western-centric and focused primarily on threats affecting users in the United States and Europe. “This raises awareness about other threats than those we are used to here in the US,” he said. “I’m glad our research helped keep users in Nigeria and other countries safe.”
Akanji and his team’s work has already influenced enforcement: Google removed 93 flagged apps from the Play Store, and regulators in Nigeria are coordinating ongoing compliance checks—changes that will inevitably reduce harassment and privacy breaches. By bridging the gap between policy and practice, the research is creating a model for how technology can enforce protections rather than merely provide them. Akanji is highlighting the hidden risks of digital lending and demonstrating how thoughtful analysis can hold developers accountable and protect millions of users. In the end, this project offers a roadmap for safer, more responsible digital ecosystems.
Akanji received his Bachelor of Science in Cyber Security from the Air Force Institute of Technology, Kaduna, in 2022, graduating with first-class honors. He served as an Airman in the Nigerian Air Force from 2012 to 2023, where his work centered on information security. During this period, he also worked as a Network Security Analyst at Galaxy Backbone Ltd in Abuja (2021–2022), focusing on securing enterprise network infrastructure. He is currently a 3rd-year Ph.D. candidate in Computer Engineering at Boston University, having previously completed his M.S. in Computer Engineering there with a focus on security and privacy-related research. At BU, he is a full-time student and researcher working on reverse engineering and malware analysis, building on his broader experience in system security. He is also a member of the Security Lab (SeclaBU), where his research aligns with the lab’s focus on identifying software vulnerabilities and abuse through program analysis and machine learning.
The CISE Best Student Paper Award competition is an annual competition at Boston University’s Center of Information & Systems Engineering (CISE) that recognizes outstanding student research and promotes scientific excellence among CISE-affiliated students. Open to all Boston University students advised by a CISE faculty affiliate, submissions undergo a blind review process evaluated by both student and faculty committees, with awards selected based on reviewer assessments of quality, novelty, and impact. This year, the competition received 16 paper submissions across systems, security, and AI-related areas. Learn more here.