One of our foremost clients asked us to penetration test a newly developed mobile app that manages users’ financial information. Because the application was developed by a supplier company, in addition to verifying security, the client also asked us to verify that the application met the criteria specified in the design.
When analysing the source code, in conjunction with penetration testing, we discovered several very serious authentication and authorization vulnerabilities that could give an attacker access to all the product users’ financial and profile information. This very sensitive data could have been used by hackers, for example, during phishing campaigns targeting users or directly when attacking the institution. If this situation had happened during real-time operation, the company would have run the risk of major financial losses, the associated loss of its client base and considerable damage to its reputation. However, because the penetration tests were carried out before the application was put out for real-life operation, this serious incident was avoided.
What’s more, the analysis of the design and the real state of the application pointed out some deviations from the agreed requirements, for instance, in the area of working with user documents, which is subject to the GDPR, which the supplier had not adequately secured in the application. The client was therefore able to negotiate a fast, free fix within the contract and thus increase its mobile app’s level of security.