Engagement type: Mobile application + REST API security review · Sector: BFSI / Fintech · Duration: 3–4 weeks · Outcome: Reduced attack surface, hardened client-server boundary
Context
A consumer-facing fintech operating in the Indian lending and personal finance space engaged us to review the security posture of their Android and iOS mobile applications, together with the REST API powering them. The brief was simple: assume an attacker has fully reverse-engineered the apps, then tell us what they can do that they shouldn’t.
Scope
- Android APK — full static + dynamic analysis
- iOS IPA — runtime instrumentation and binary review
- REST API surface used by both apps — authenticated and unauthenticated
- Client-side credential and session handling
- Local storage of sensitive data (KYC documents, session tokens, PII)
- Certificate pinning and transport security configuration
- Deep-link and inter-app communication handlers
Methodology
- OWASP MASVS Level 2 verification end-to-end
- OWASP MSTG testing procedures applied per platform
- OWASP API Security Top 10 coverage for the backend
- Static analysis: jadx, apktool, MobSF (Android); class-dump, Hopper (iOS)
- Dynamic analysis: Frida, Objection, Burp Suite for traffic interception (with custom CA), Magisk + LSPosed for root-detection bypass testing
- Manual API testing for IDOR, mass-assignment, rate limiting, and authentication-bypass scenarios
Categories of findings
Without disclosing specifics covered under NDA, the engagement surfaced issues across:
- Local storage hygiene: sensitive identifiers and partial PII in client-side caches recoverable from device backups
- Certificate pinning: bypassable configuration on one platform; missing on certain debug endpoints
- API rate limiting: uneven coverage allowing enumeration on identifier-based endpoints
- Authentication tokens: overlong lifetimes and weak invalidation on logout
- Deep linking: insufficiently-validated parameters in custom URI schemes
- Root / jailbreak detection: trivial bypasses, allowing attacker-controlled environment
- Binary protection: string obfuscation gaps revealing API endpoints and internal flags
Deliverables
- Finding-by-finding technical report mapped to MASVS and API Top 10
- Proof-of-concept walkthroughs for high-impact issues (Frida scripts, modified APKs, request traces)
- Platform-specific hardening checklist for the engineering team
- API contract changes recommended at the backend layer to defend against client compromise
- Retest cycle on Critical and High findings, included
Outcome
- Local storage handling moved to platform secure-storage primitives (Keystore / Keychain) for all sensitive identifiers
- Certificate pinning rebuilt with verifiable enforcement and a documented rotation plan
- Rate-limiting policy unified across the API surface
- Token lifetime and revocation model redesigned, with backend-driven session invalidation
- Engineering team established a recurring quarterly mobile security review cadence
Specific finding counts and metrics omitted under the engagement NDA.
Want a similar engagement?
If your mobile application is core to your business — and especially if it touches money, identity, or regulated data — talk to us about a MASVS-aligned review. We test the apps and the API behind them, because attackers don’t draw the line at the boundary.