A mobile payments app (iOS and Android) needed a security assessment before public launch. The client required reverse engineering, API security, and data storage testing to ensure sensitive payment and PII handling was secure.
Scope: iOS and Android app binaries (production build); backend APIs used by the app; certificate pinning and TLS. Success criteria: OWASP Mobile Top 10 covered; critical/high remediated before launch. Rules of engagement: testing on provided devices/builds; no distribution of modified apps.
Static and dynamic analysis, reverse engineering (e.g. Frida, objection), and API testing. Test cases included:
| Category | Test Cases Performed |
|---|---|
| Data storage | Keychain/Keystore, shared prefs, DB, logs; sensitive data in backups |
| Communication | TLS validation, certificate pinning bypass, API auth and authorization |
| Code | Reverse engineering, hardcoded secrets, debug flags, root/jailbreak detection |
| API | IDOR, broken auth, injection, rate limiting, token handling |
Tools: Burp, Frida, objection, MobSF, dex2jar/jadx. Standards: OWASP Mobile Top 10.
14 findings (2 critical, 5 high, 5 medium, 2 low). Critical:
Remediation support included secure storage patterns, backend token handling, and pinning implementation guidance. All critical and high were fixed before launch.
"They found issues our internal team missed. Essential before going to market."— Head of Engineering, Mobile Payments
Testing on production-equivalent builds and on both platforms caught platform-specific issues. For similar organizations: include API and backend in scope; test certificate pinning and secure storage early; plan retest after fixes.
Get a free security assessment and see how we can bring your security posture to manageable levels.