Case study

Home >Security Testing of a Cultural Mobile Application
Casestudy
Security Testing of a Cultural Mobile Application
Overview A client engaged us to perform a security assessment of their Android mobile application (APK), which serves as a cultural platform offering personalized content, location-based services, and daily insights tailored to user preferences. The objective was to identify and...

Overview

A client engaged us to perform a security assessment of their Android mobile application (APK), which serves as a cultural platform offering personalized content, location-based services, and daily insights tailored to user preferences. The objective was to identify and address security vulnerabilities that could potentially expose user data or compromise application integrity.

To ensure a thorough evaluation of the app’s security posture, both static and dynamic analysis methods were applied throughout the engagement.

Challenges Faced:

  • SSL Pinning Enforcement: The app employed SSL pinning to protect user data during transmission. This initially prevented traffic interception, and standard bypass methods were unsuccessful—requiring advanced debugging and scripting to overcome.
  • Delayed Client Response: After completing the static analysis and preparing half of the report, the client became unresponsive due to a delayed payment. The assessment was paused for nearly a month before resuming
  • Dynamic Testing Constraints: Even after resuming the engagement, SSL pinning remained a major barrier during dynamic testing and required specialized tools and manual intervention to proceed.
  • Client Cooperation Issues: Coordination challenges due to inconsistent client communication made re-audits and validation efforts slower than expected.

Key Findings & Observations:

During our rigorous security assessment, we identified multiple critical vulnerabilities, including:

  • Insecure Data Storage – Sensitive user data was stored in plaintext, making it susceptible to unauthorized access.
  • Account Update via Leaked JWT Token – The application allowed account modification using an exposed JWT token, leading to potential account takeovers.
  • No Rate Limit in Forgot Password Feature – Attackers could brute-force password reset requests without restriction.
  • Broken Session Management – Users remained authenticated indefinitely, increasing session hijacking risks.
  • Business Logic Flaw: OTP Manipulation – Manipulating OTP requests enabled unauthorized account creation.
  • No Rate Limit on Login Page – The absence of rate limiting allowed brute-force attacks on user credentials.
  • Janus Vulnerability – A security flaw that could allow attackers to modify APK files without invalidating their signatures.
  • Sensitive Information Disclosure – Personal user information was exposed due to improper security controls.
  • Use of a Vulnerable SDK Version – The app was built using an outdated and vulnerable Android SDK, increasing the risk of exploitation.

Remediation & Testing Approach

To address these security concerns, we implemented the following approaches:

  • Static Analysis: Conducted in-depth static testing using MobSF, Apktool, Jadx-GUI, and Andro-Bugs to analyze source code vulnerabilities.
  • Dynamic Testing & SSL Pinning Bypass: Successfully bypassed SSL pinning using custom debugging techniques and Frida scripts, enabling us to intercept traffic for security assessment.
  • Rate Limiting Implementation: Recommended and guided the client on implementing proper rate-limiting mechanisms for login and password reset functionalities.
  • Session Management Best Practices: Provided steps to implement token expiration and logout mechanisms to prevent unauthorized access.
  • Remediation Guidance: Detailed step-by-step remediation strategies for each identified vulnerability in the final report.

Tools Utilized:

  • Burp Suite – Used for intercepting, analyzing, and testing web traffic between the app and the backend.
  • MobSF (Mobile Security Framework) – Assisted in automated mobile application security testing and static analysis.
  • Apktool – Utilized for reverse engineering the APK to inspect code and resource files.
  • Platform-Tools (ADB & Fastboot) – Used for debugging and interacting with the Android application.
  • Jadx-GUI – Allowed us to decompile and analyze the source code.
  • Andro-Bugs – Used to identify security loopholes in the application.

Benefits:

  • Enhanced Application Security: Critical issues like data exposure, session vulnerabilities, and insecure authentication were remediated, significantly reducing the risk of compromise.
  • Improved User Protection: Sensitive data storage and transmission methods were secured to protect user privacy and meet data protection standards.
  • Better Authentication & Logic Flow: Flaws in OTP, session management, and brute-force prevention were addressed, strengthening the application’s overall authentication flow.
  • Security Best Practice Alignment: Our recommendations aligned the app’s architecture with industry standards for mobile application security and helped build a strong foundation for compliance.

Conclusion

Despite hurdles including SSL pinning barriers and communication delays, we successfully delivered a thorough security assessment of the client’s mobile application. Our methodology, combining automated tools and manual inspection, uncovered critical vulnerabilities and ensured they were effectively addressed. As a result, the app now benefits from stronger data protection, improved authentication mechanisms, and a reduced attack surface.

We recommend conducting regular security assessments and keeping SDKs and libraries up-to-date to maintain long-term application security.

Challenge:

A cultural mobile platform exposed user data and allowed unauthorized access due to insecure storage, broken authentication, and lack of rate limiting.

Solution:

Cyber Sapiens conducted static and dynamic security testing, bypassed SSL pinning, and provided remediation for critical vulnerabilities in session management, data handling, and API security.

Outcome:

 9+ critical issues resolved
 Improved user data protection and session security
 App aligned with mobile security best practices

Explore related case studies
Events
Securing APIs for a Software Provider
Client Overview Our client is a niche software provider that develops tools for cutting optimization—specifically for rectangular and linear materials like panels, pipes, and rods. Their platform is widely used to help users minimize material waste and enhance operational efficiency....
Events
Shielding APIs for a Rising Fintech Innovator
Client Overview Our client is a fast-growing fintech start-up providing digital payment solutions for small businesses and consumers. Their platform connects merchants, banks, and users through APIs, making transactions smooth and efficient. Since their system handles sensitive financial data, ensuring...
Load more nextarrow