Mobile Application Penetration Testing

Scope

Digital bank mobile application with Android and iOS versions was penetrated. The test was performed in a GreyBox manner and simulated a malicious user with partial knowledge regarding the system functionality.

Conclusions

It was observed that there is no input validation in both Android and iOS versions. Attacks, based on this vulnerability, could be performed on the application. Although, no matter that it is not following proper input validation, due to MVC framework there is no successful exploitation. In iOS Application it was observed that the application is storing the transactions data in plain text format in local storage. It was also discovered that application snapshots are enabled.

Time frame

  • 13 working days
  • 5 days penetration of Android version
  • 5 days penetration of iOS version
  • 3 dayс vulnarebilities & remediation report preparation

Steps performed

  • Architecture, design and threat modelling
  • Data storage and privacy
  • Cryptography verification
  • Authentication and session management
  • Network communication
  • Environmental interaction
  • Code quality and build settings
  • Resiliency again treverse engineering