Timi Agama

Posted on Mar 24 • Originally published at timi.agama.com.ng

Why Your Nigerian Mobile Number Validator Is Putting Your Application at Risk

#webdev #typescript #validation #nigeria

In the world of software development, we often treat mobile number validation as a trivial task. It's easy to reach for a quick regex pattern, test it with a few examples, and consider the job done. But when it comes to Nigerian mobile numbers, this approach can expose your application to serious risks – from missed communications to security vulnerabilities that could compromise your entire system.

The reality is that most Nigerian mobile number validation libraries available today are outdated, unmaintained, and built on simplistic approaches that fail to account for the complexities of Nigeria's evolving telecommunications landscape. If you're using one of these libraries, your application may be vulnerable right now.

The State of Nigerian Mobile Number Validation

Our exhaustive analysis of open-source Nigerian mobile number validators revealed 11 packages. They all clearly had opportunities for improvement:

Most popular libraries haven't been updated in 4+ years
Few fully align with the current Nigerian Communications Commission (NCC) numbering plan
Many rely on regex patterns and none of them account for all edge cases
Enterprise-level security features are not included
Protection against common attacks is limited in most implementations

Let's look at some examples from the npm registry:

Library	Last Update	Weekly Downloads	Limitations
nigerian-phone-number-validator	4 years ago	83	Uses older numbering plan, limited security features
nigeria-phone-number-validator	4 years ago	19	Focuses on basic format validation
naija-phone-number	8 years ago	-	Minimal validation functionality

While these libraries served important needs when created, the evolving Nigerian telecommunications landscape requires more comprehensive solutions. As the NCC updates its numbering plan and new security challenges emerge, validation libraries need to adapt accordingly.

Why Basic Validation Isn't Enough

Mobile number validation in Nigeria is far more complex than simply checking for a specific format. The Nigerian Communications Commission regularly updates its numbering plan, reallocates ranges between carriers, and introduces new network codes.

Consider these examples of complex edge cases that most validators miss:

Specific Subscriber Range Allocations: The 0702 network code has multiple allocations within the same prefix:

- 0702 0000000-0999999: Allocated to Smile
- 0702 1000000-1999999: Returned to NCC
- 0702 2000000-2000199: Allocated to Interconnect Clearinghouse
- 0702 2000200-2999999: Withdrawn
- 0702 3000000-3999999: Allocated to Openskys

Status-Based Validity: Some number ranges are reserved, withdrawn, or returned to the NCC but might appear valid to basic validation.
Format Variations: Numbers can be presented in local format (080xxxxxxxx), international format (234xxxxxxxxxx), or with plus sign (+234xxxxxxxxxx).

Most existing validators simply check if a number starts with certain digits, completely missing these nuances. This leads to accepting invalid numbers that may cause message delivery failures, customer service issues, or worse.

However for some companies, reputation depends on getting matters as seemingly simple as number validation right.

The Security Dimension

Inadequate validation isn't just a functional issue – it's both a security vulnerability and a reputational risk. Consider these potential consequences:

Security Vulnerabilities

Injection Attacks: User-provided phone numbers without proper sanitization can lead to XSS or SQL injection attacks.
Denial of Service: Without rate limiting, attackers can overload validation services.
Privacy Leaks: Improperly handled phone numbers can expose PII in logs or error messages.
Resource Exhaustion: Maliciously crafted inputs can cause excessive processing time.

Reputational Risks

Customer Communication Failures: Messages sent to invalid numbers that passed basic validation can damage customer relationships.
Edge Case Discrimination: Customers with valid numbers in complex ranges (like the 0702 range) may be incorrectly rejected, creating frustration.
Security Breaches: A security compromise stemming from validation vulnerabilities can severely damage brand reputation.
Compliance Issues: Especially in regulated industries, non-compliance with proper validation standards can have serious consequences.

For many companies, their reputation depends on getting matters as seemingly simple as number validation right, while maintaining a strong security posture. Validation is not just about checking format – it's a critical business function.

The Enterprise-Grade Solution: nigerian-mobile-validator

To address these challenges, we've developed nigerian-mobile-validator, the first Nigerian mobile number validation library built with both comprehensive validation and enterprise-grade security in mind.

Key advantages include:

1. Complete NCC Compliance

import { NigerianMobileNumberValidator } from 'nigerian-mobile-validator';

const validator = new NigerianMobileNumberValidator();
const result = validator.validate('08031234567');

if (result.validationSucceeded) {
  // Validated against current NCC numbering plan
  console.log(`Valid ${result.mobileNumber.telco} number`);
} else {
  // Detailed reason for validation failure
  console.log(`Invalid: ${result.userMessage}`);
}

Unlike other validators that check only format, nigerian-mobile-validator verifies that:

The network code is valid and currently active
The subscriber number falls within an allocated range
The range is assigned to an active telco operator
The number isn't in a reserved, withdrawn, or returned range

2. Enterprise Security Features

import { 
  NigerianMobileNumberValidator, 
  ValidatorSecurity 
} from 'nigerian-mobile-validator';

// Built-in protection against common attacks
const validator = new NigerianMobileNumberValidator({
  rateLimit: 100 // Limit of 100 validations per minute per instance
});

// Automatic input sanitization
const result = validator.validate(userProvidedInput);

// Manual sanitization if needed
const sanitizedInput = ValidatorSecurity.stripUnsafeInputs(userProvidedInput);

The library implements multiple security layers:

Input Sanitization: Protection against XSS, injection attacks
Rate Limiting: Configurable rolling window rate limiting
PII Protection: Automatic masking of phone numbers in logs
Resource Protection: Fast rejection of obviously invalid inputs

Additionally, the library undergoes continuous security verification through:

SonarQube: Code quality and security analysis
CodeQL: Static code analysis to find security vulnerabilities
Snyk: Dependency and code scanning for known vulnerabilities
Dependabot: Automated dependency updates to patch security issues

This comprehensive security approach ensures the library remains resistant to new vulnerabilities over time.

3. Enterprise Logging Integration

import { 
  NigerianMobileNumberValidator, 
  LoggerFactory 
} from 'nigerian-mobile-validator';
import winston from 'winston';
import pino from 'pino';

// Winston integration with automatic PII masking
const winstonLogger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [new winston.transports.Console()]
});

const validator = new NigerianMobileNumberValidator({
  logger: LoggerFactory.createLogger({
    type: 'winston',
    instance: winstonLogger
  })
});

// Pino integration
const pinoLogger = pino();
const validatorWithPino = new NigerianMobileNumberValidator({
  logger: LoggerFactory.createLogger({
    type: 'pino',
    instance: pinoLogger
  })
});

// Set a global default logger
setDefaultLogger(LoggerFactory.createLogger({
  type: 'console',
  prefix: 'GlobalValidator'
}));

// Log before: "Validating number: 08031234567"
// Log after:  "Validating number: 080*****67"

The library seamlessly integrates with enterprise logging systems including Winston and Pino, with intelligent PII masking that automatically protects sensitive information while still providing enough context for debugging and monitoring.

4. Comprehensive Testing & Optimized Performance

The library is built with reliability and performance in mind:

Extensive Testing Infrastructure

150+ Unit Tests: Covering all validation edge cases and scenarios
Test Data Generation: Sophisticated system for generating test data
Security Testing: Specific tests for validation security features
Edge Case Coverage: Tests for complex number range allocations

// Example of edge case testing
describe('Complex number range allocations', () => {
  it('validates numbers in the 0702 range correctly', () => {
    // Smile allocation
    const smileNumber = '07020123456';
    expect(validator.validate(smileNumber).validationSucceeded).toBe(true);
    expect(validator.validate(smileNumber).mobileNumber?.telco).toBe('Smile');

    // Returned range
    const returnedNumber = '07021123456';
    expect(validator.validate(returnedNumber).validationSucceeded).toBe(false);
    expect(validator.validate(returnedNumber).validationStatus).toBe(MobileValidationStatus.ReturnedNetworkCode);
  });
});

Optimized Performance

The library employs smart optimization techniques:

Lazy Loading: Network codes are loaded only when needed
Fast Rejection: Obvious invalid inputs are rejected early
Map-Based Lookups: Efficient data structures for validation
Minimal Memory Footprint: ~200KB initial footprint

Implementation: Upgrading Your Validation

Migrating from existing libraries is straightforward:

// Before (with basic validator):
import { validateNigerianPhone } from 'outdated-nigerian-validator';

const isValidPhone = validateNigerianPhone(phoneNumber);
if (isValidPhone) { /* proceed */ }

// After (with enterprise-grade validation):
import { NigerianMobileNumberValidator } from 'nigerian-mobile-validator';

const validator = new NigerianMobileNumberValidator();
const result = validator.validate(phoneNumber);

if (result.validationSucceeded) {
  // Access additional data about the number
  const telco = result.mobileNumber.telco;
  const networkCode = result.mobileNumber.networkCode;
  const internationalFormat = result.mobileNumber.msisdn;
} else {
  // Get specific reason for failure
  console.log(result.userMessage); // User-friendly message
  console.log(result.devMessage);  // Technical details
}

The library is designed to be a drop-in replacement with minimal code changes while providing significantly more functionality and security.

Future-Proofing Your Validation

The nigerian-mobile-validator library is actively maintained with several upcoming features:

Firecrawl AI Integration: Automated scraping of NCC website updates to keep the numbering plan current
Enhanced Telco Identification: Improved operator detection considering Mobile Number Portability
Community-Driven Development: Evolving based on real-world use cases and feedback

Your validation solution should evolve with Nigeria's telecommunications landscape, not remain frozen in time like most existing libraries.

Conclusion: When Number Validation Is Business-Critical

For applications where accuracy and security matter, a robust validation solution provides important protection. This is especially true if you're building:

A financial application requiring strong KYC
A messaging platform that depends on reliable delivery
An enterprise system with stringent security requirements
A government service with compliance obligations

The nigerian-mobile-validator library offers a comprehensive approach that combines:

Complete NCC compliance with up-to-date numbering plan data
Enterprise-grade security features protecting against common vulnerabilities
Extensive testing with 150+ unit tests covering edge cases
Integration capabilities with enterprise logging and security systems
Performance optimization through lazy loading and efficient data structures

These capabilities help ensure that your application handles Nigerian mobile numbers correctly and securely, reducing the risk of validation-related issues in production.

Getting Started

npm install nigerian-mobile-validator

Don't let inadequate validation put your application at risk. Upgrade to a solution that treats validation with the seriousness it deserves.

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now

DEV Community