One of our foremost clients asked us to conduct penetration tests on a newly developed mobile app that manages users’ financial information. Since the application was developed by a supplier company, in addition to checking security, the client also asked us to verify compliance with the criteria that the application was designed to meet.
During penetration testing, we uncovered several very serious authentication and authorization vulnerabilities that could allow an attacker to access the profile and financial information of all the product’s users. This highly critical data could be used by hackers, for instance, for phishing campaigns targeting users or directly in attacks on the institution. If this situation were to arise during actual operation, the company would be at risk of large financial losses, the associated loss of its client base and damage to its reputation. However, because penetration testing was carried out in time, before the app was published for real operation, this serious incident was avoided.
What is more, the analysis of the design and the real state of the application pointed out some deviations from the agreed requirements, for example in the area of working with user documents, which is subject to the GDPR, which the supplier had not sufficiently secured in the app. So, in the contract’s framework, the client was able to negotiate fast, free fixes and thus increase their mobile app’s level of security.