Case study

Home >Security Assessment of a Digital Signage Android Application
Casestudy
Security Assessment of a Digital Signage Android Application
Overview In today’s digital landscape, advertising is a key strategy for reaching and engaging target audiences. Digital signage applications play a pivotal role by enabling dynamic ad displays on kiosks and screens. We were approached to perform a security assessment...

Overview

In today’s digital landscape, advertising is a key strategy for reaching and engaging target audiences. Digital signage applications play a pivotal role by enabling dynamic ad displays on kiosks and screens. We were approached to perform a security assessment of an Android-based digital signage application designed to showcase advertisements retrieved from a backend server. Advertisers provided content, and the application handled its display dynamically.

Although the application had limited features, its internal processes were complex and required a detailed evaluation. Our assessment involved static and dynamic analysis, source code review, and penetration testing to uncover and address potential security flaws.

Challenges Faced:

  • Limited Functionalities – The application was minimalistic, requiring a thorough understanding of its internal processes through source code review.
  • Complex Application Flow – Despite its simplicity, tracing the logic and flow of the application required significant effort.
  • Lack of Proper Security Measures – The application had weak security configurations, making it vulnerable to exploitation.
  • Static & Dynamic Analysis – We had to conduct both static and dynamic testing to uncover vulnerabilities that were not immediately apparent.
  • Client Awareness & Communication– Some of the security issues identified required careful explanation to the client to ensure they understood the risks and the necessary mitigations.

Key Findings & Observations:

During our security assessment, we identified multiple vulnerabilities in the application. The key security issues discovered include:

  • Unauthorized Ad Change – Attackers could manipulate the displayed advertisements, leading to unauthorized ad placement.
  • Web HTTP Request & Response Exposure in Logcat – OTPs were leaking in the application’s response, allowing attackers to intercept them.
  • OTP Leak in Response via APK Request – The application’s backend returned OTPs in the response, posing a security risk.
  • URL Leak in APK – Sensitive URLs were exposed in the APK file, leading to access to the Admin Login Page and PHP Info file disclosure.
  • URL Leak in APK (PHPMyAdmin Exposure) – Attackers could discover and potentially access the PHPMyAdmin login page.
  • Improper Platform Usage – Activity Hijack – Malicious applications could hijack certain activities within the app.
  • OTP Exposure via Logcat – The application was logging sensitive OTP information, making it accessible to attackers.
  • Insecure Data Storage – Username Leak – User credentials were stored in an insecure manner, making them prone to theft.
  • Backup Enabled in APK – The application’s backup feature was enabled, which could lead to unauthorized data retrieval if an attacker gained access to a backup file.

Impact on the Network Infrastructure

To mitigate these vulnerabilities, we provided the following solutions:

  • Securing the Ad Management Process – Implementing authentication controls and authorization checks to prevent unauthorized ad changes.
  • Disabling Sensitive Logging – Ensuring OTPs and other sensitive information are not exposed in Logcat.
  • Secure data handling – Applying strong encryption mechanisms to secure user credentials and sensitive data. 
  • Implementing Secure Authentication Practices – Avoiding OTP leaks by using secure API responses and token-based authentication.
  • Hardening APK– Preventing URL and admin page leaks by obfuscating sensitive information and restricting access.
  • Activity Hijacking Prevention – Ensuring proper security settings to restrict unauthorized access to application activities.
  • Disabling Backup Features – Preventing data leaks by disabling APK backup functionality.
  • Guidance on Secure Coding Practices – Educating the client on secure development practices to avoid similar issues in future releases.

Benefits:

  • Stronger Security Posture – The application was fortified against common threats and unauthorized data access.
  • Protection Against Exploits – The mitigations implemented prevent attackers from manipulating ad content and hijacking user sessions.
  • Improved User Trust – Ensuring security best practices helps maintain the credibility of the client’s application among advertisers and users.
  • Compliance with Security Standards – Addressing security flaws aligns with industry security standards and best practices.
  • Reduced Risk of Data Breaches – With secure data storage and transmission mechanisms, the chances of data leaks and unauthorized access are minimized.

Conclusion

Our detailed security assessment of the digital signage application identified and resolved multiple critical vulnerabilities. Through a combination of code review, runtime analysis, and effective collaboration, we helped secure a minimalistic yet potentially vulnerable application. This engagement reinforced the importance of securing even lightweight applications, emphasizing that simplicity in function should never mean simplicity in security.

Challenge:

Android-based digital signage app exposed OTPs, admin URLs, and user credentials due to insecure coding practices, putting advertiser content and user data at risk.

Solution:

Performed in-depth static and dynamic analysis, source code review, and penetration testing. Delivered mitigation strategies including secure authentication, log sanitization, activity hijack protection, data encryption, and backup disabling.

Outcome:

Resolved all critical vulnerabilities, fortified app security, improved user trust, and ensured compliance with secure coding standards—significantly reducing data breach risks.

Explore related case studies
Events
Securing APIs for a Software Provider
Client Overview Our client is a niche software provider that develops tools for cutting optimization—specifically for rectangular and linear materials like panels, pipes, and rods. Their platform is widely used to help users minimize material waste and enhance operational efficiency....
Events
Shielding APIs for a Rising Fintech Innovator
Client Overview Our client is a fast-growing fintech start-up providing digital payment solutions for small businesses and consumers. Their platform connects merchants, banks, and users through APIs, making transactions smooth and efficient. Since their system handles sensitive financial data, ensuring...
Load more nextarrow