appsecuri

Mobile Wallet App

Business Background

The client is the funded startup and provides a free downloadable application, which users engage with an advertiser's ad and get paid. It is beneficial for the advertisers as they can spread their coupons or any other types of discount offers through the help of application and can produce a strong ROI on social media. Protecting the personal information and privacy of the users is of the utmost importance to Client.

Objective

Pre-release security testing of Mobile Application.

The Challenge

The platform had lots of financial transactions from internal accounts to user's accounts and from the user's account to internal bank accounts, which was crucial and challenging. The application stored a lot of user's data including personally identifiable information and it was important for us that the mobile app was secured for customer use and compliant as per OWASP mobile verification standard.

The Solution

By using Appsecuri uniquely developed framework and tools, the consultants completed the Mobile Application Security testing in one week. Key highlights of the security assessment are as below:

  • Build the security testing plan.
  • Functional Mapping of the entire mobile app endpoints and integrations.
  • Reverse engineering and auditing of the application for the static analysis through various open source tools by team of ethical hackers by following checks listed in OWASP code review standards.
  • Traffic Interception of the application for the phase of Dynamic analysis through various open source tool by team of ethical hackers by following checks listed in OWASP code review standards.
  • Human Intelligence testing of application for the logic analysis through various open source tools by team of ethical hackers by completing checks listed in OWASP code review standards.
  • Human Vulnerability correlation & Removal of false positives.
  • Leveraged known vulnerabilities to further penetrate the Client’s application architecture and identify the true Impact of the vulnerabilities.
  • Writing of Assessment report.

The Deliverables

  • Daily Status Reports and Weekly status reports
  • Comprehensive information, proof of concept examples and detailed Exploitation instructions of all the threats and vulnerabilities identified

Outcomes

  • Reduced risk of damage to brand and reputation.
  • Reduced risk of reputational damage and associated costs.

Benefits

By conducting thorough security tests and identifying vulnerabilities, Appsecuri reduced the Client's risk additionally, the Client gained the following benefits:

Risk Benefits: Appsecuri has discovered 3 Critical Security Issues:

1) Insecure direct object reference
2) 2FA bypass due to brute force
3) OAuth2 Misconfiguration

Cost Savings: Appsecuri suggested cost-effective risk-mitigation measures based on the customer’s business requirements that would ensure security and continuity of the business.

Customer Satisfaction: Mobile-Application Security Assessment was conducted with minimum interruption and no damage across customer systems to identify security vulnerabilities, impacts and potential risks.

Compliance: The Mobile application was benchmarked against OWASP global security standards.

Speedy service: Client was particularly impressed by how quickly Appsecuri could carry out the penetration test and deliver reports.

Industry


  • Media

Challenge


  • Protect content data, customer information and brand reputation
  • Monitor internal network 24/7

Vulnerabilities Found


  • Temp file stored the sensitive information
  • Weak Hash Algorithm Used
  • Sensitive information getting stored in logs
  • Broadcast Receiver was not protected
  • Insecure direct object reference
  • Brute force attack was possible on coupon feature
  • Brute force on login page
  • 2FA bypass due to brute force
  • OAuth2 Misconfigurations
  • Cross site request forgery
  • HTTP only not set for cookie
  • Password policy bypass
Here you'll find all the latest industry news and research by the experts at Appsecuri.

name


email


phone


message


Congratulations. Your message has been sent successfully.
Error, please retry. Your message has not been sent.

Request our free 24-Hour penetration test and get vulnerability report.


  • Evaluate skills before any type of engagement with Appsecuri.
  • Level-1 Testing with manual approach in addition to static/dynamic.
  • Get a clear picture of root findings with mitigations in the report.
  • 90% of the time we find unknown hidden critical/high vulnerabilities.



Leave a Reply

Your email address will not be published.


Comment


Name

Email

Url