The client is the funded startup and provides a free downloadable application, which users engage with an advertiser's ad and get paid. It is beneficial for the advertisers as they can spread their coupons or any other types of discount offers through the help of application and can produce a strong ROI on social media. Protecting the personal information and privacy of the users is of the utmost importance to Client.
Pre-release security testing of Mobile Application.
The platform had lots of financial transactions from internal accounts to user's accounts and from the user's account to internal bank accounts, which was crucial and challenging. The application stored a lot of user's data including personally identifiable information and it was important for us that the mobile app was secured for customer use and compliant as per OWASP mobile verification standard.
By using Appsecuri uniquely developed framework and tools, the consultants completed the Mobile Application Security testing in one week. Key highlights of the security assessment are as below:
Build the security testing plan.
Functional Mapping of the entire mobile app endpoints and integrations.
Reverse engineering and auditing of the application for the static analysis through various open source tools by team of ethical hackers by following checks listed in OWASP code review standards.
Traffic Interception of the application for the phase of Dynamic analysis through various open source tool by team of ethical hackers by following checks listed in OWASP code review standards.
Human Intelligence testing of application for the logic analysis through various open source tools by team of ethical hackers by completing checks listed in OWASP code review standards.
Human Vulnerability correlation & Removal of false positives.
Leveraged known vulnerabilities to further penetrate the Client’s application architecture and identify the true Impact of the vulnerabilities.
Writing of Assessment report.
Daily Status Reports and Weekly status reports
Comprehensive information, proof of concept examples and detailed Exploitation instructions of all the threats and vulnerabilities identified
Reduced risk of damage to brand and reputation.
Reduced risk of reputational damage and associated costs.
By conducting thorough security tests and identifying vulnerabilities, Appsecuri reduced the Client's risk additionally, the Client gained the following benefits:
Risk Benefits: Appsecuri has discovered 3 Critical Security Issues:
1) Insecure direct object reference 2) 2FA bypass due to brute force 3) OAuth2 Misconfiguration
Cost Savings: Appsecuri suggested cost-effective risk-mitigation measures based on the customer’s business requirements that would ensure security and continuity of the business.
Customer Satisfaction: Mobile-Application Security Assessment was conducted with minimum interruption and no damage across customer systems to identify security vulnerabilities, impacts and potential risks.
Compliance: The Mobile application was benchmarked against OWASP global security standards.
Speedy service: Client was particularly impressed by how quickly Appsecuri could carry out the penetration test and deliver reports.
Protect content data, customer information and brand reputation
Monitor internal network 24/7
Temp file stored the sensitive information
Weak Hash Algorithm Used
Sensitive information getting stored in logs
Broadcast Receiver was not protected
Insecure direct object reference
Brute force attack was possible on coupon feature
Brute force on login page
2FA bypass due to brute force
Cross site request forgery
HTTP only not set for cookie
Password policy bypass
Here you'll find all the latest industry news and research by the experts at Appsecuri.
Request our free 24-Hour penetration test and get vulnerability report.
Evaluate skills before any type of engagement with Appsecuri.
Level-1 Testing with manual approach in addition to static/dynamic.
Get a clear picture of root findings with mitigations in the report.
90% of the time we find unknown hidden critical/high vulnerabilities.