Client Overview

A leading private sector bank had developed a new mobile banking application to serve its growing digital customer base. The application was available on both Android and iOS platforms and handled sensitive financial transactions including fund transfers, bill payments, fixed deposit management, and account statements. With over two million active users, ensuring the security of this application was a regulatory requirement and a business priority.

Challenge

The bank needed to ensure the mobile application met RBI cybersecurity framework requirements before a scheduled compliance audit. The application integrated with multiple backend services, third-party payment gateways, and biometric authentication systems. Previous assessments had focused only on the backend APIs, leaving the mobile client-side security largely untested. The bank required a thorough assessment covering both platforms.

Our Approach

Codesecure conducted a comprehensive mobile application VAPT engagement covering the following areas:

• Static analysis (SAST) of Android APK and iOS IPA binaries for hardcoded credentials, insecure storage, and code obfuscation gaps
• Dynamic analysis (DAST) of both platforms covering runtime behaviour, memory analysis, and inter-process communication
• API security testing for all 87 backend endpoints including authentication, authorisation, input validation, and rate limiting
• Local data storage analysis — SharedPreferences, SQLite databases, Keychain, and cache directories for sensitive data leakage
• SSL/TLS configuration review including certificate pinning implementation and bypass testing
• Session management assessment covering token lifecycle, timeout policies, and concurrent session handling
• Business logic testing — transaction limit bypass, OTP reuse, beneficiary manipulation, and race condition exploits
• Third-party SDK review for known vulnerabilities and excessive permission requests

Results

We identified 38 vulnerabilities — 6 critical, 12 high, and 20 medium.

Critical findings included:

• Authentication token stored in plaintext in SharedPreferences on Android
• Missing certificate pinning allowing man-in-the-middle interception
• An OTP bypass vulnerability through response manipulation
• Transaction amount tampering via API parameter modification
• Exposed debug logs containing customer account numbers in the iOS build
• A session fixation vulnerability allowing account takeover

All critical and high findings were remediated by the development team. A comprehensive revalidation confirmed successful fixes across both platforms.

Conclusion

Mobile banking applications are high-value targets for attackers due to the sensitive financial data they handle. This engagement demonstrated the importance of testing both the client-side application and the backend APIs together. By identifying and remediating critical vulnerabilities before the compliance audit, the bank strengthened its security posture and met RBI cybersecurity framework requirements. Contact Codesecure for a thorough mobile application security assessment.