At a Glance
- Industry: Banking & BFSI
- Engagement type: Mobile Application VAPT
- Tech stack: Native Android (Kotlin) + iOS (Swift) apps, Spring Boot backend, AWS infrastructure, Aadhaar OTP integration, biometric authentication
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Banking & BFSI
Product: Retail mobile banking app (Android + iOS)
Tech stack: Native Android (Kotlin) + iOS (Swift) apps, Spring Boot backend, AWS infrastructure, Aadhaar OTP integration, biometric authentication
The client is a mid-size Indian private bank operating across 4 metros with 2.8M active retail customers and a mobile banking app handling INR 18,000+ crore monthly transaction volume. Their mobile-first strategy demanded continuous security assurance for the customer-facing app.
Challenge
Three factors drove the urgency of this engagement:
- RBI compliance deadline. The annual RBI cybersecurity examination required current pentest evidence covering both mobile platforms
- New biometric login. A biometric authentication flow had shipped to production without dedicated mobile security review
- Customer fraud reports. Three reported account takeover incidents in the previous quarter suggested possible mobile attack paths
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- OWASP Mobile Top 10 coverage of Android (APK) and iOS (IPA) binaries
- MASVS Level 2 testing including anti-tampering, anti-debugging and root/jailbreak detection bypass
- Biometric authentication flow analysis with replay and bypass attempts
- API security testing of all backend endpoints (OWASP API Top 10)
- TLS pinning bypass and traffic interception via Frida instrumentation
- Local storage and keychain analysis for credential or PII exposure
- Insecure deep link, intent handling and accessibility service abuse testing
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Biometric bypass via accessibility service abuse allowing transaction approval without fingerprint
- Local storage leaked decrypted account balance and recent transactions accessible to any rooted device
- TLS certificate pinning could be bypassed via Frida hook enabling MITM in 30 seconds
High & Medium Severity
Insecure deeplink allowing parameter injection to pre-fill transfer forms, weak session timeout (60+ minutes idle), JWT signature validation flaw on internal API, missing rate limit on OTP endpoint enabling brute force, verbose error messages disclosing backend stack details.
Before vs. After
Before Engagement
- Biometric flow exploitable via accessibility
- PII visible in local storage on rooted devices
- TLS pinning trivially bypassable
- 3 customer ATO incidents in prior quarter
- No formal mobile pentest in 18 months
- RBI examination evidence missing
After Remediation
- Biometric flow requires hardware attestation
- All sensitive data encrypted with EncryptedSharedPreferences
- Pinning enforced with certificate transparency
- Zero ATO incidents in 90 days post-fix
- Quarterly mobile pentest schedule established
- Clean RBI examination report
"The Codesecure team found three critical issues our previous auditor missed completely. The biometric bypass alone could have cost us crores in fraud. Their report went straight into our RBI submission with no rewriting."
Anonymous, Head of Mobile Engineering, mid-size Indian private bank
Key Lessons
What Other Teams Can Take Away
- Biometric authentication is bypassable. Accessibility service abuse, hardware attestation gaps and replay attacks all defeat naive biometric flows. Test every biometric integration.
- Local storage is not encrypted by default. SharedPreferences, SQLite, Realm and even Keystore have well-documented misuse patterns leaking sensitive data.
- TLS pinning needs reinforcement. Single-pinned certificates are bypassable with Frida in seconds. Use certificate transparency and runtime tamper detection.
- Mobile pentest cycles should match release cadence. Quarterly mobile VAPT for high-volume banking apps; on-change validation for major feature releases.
Conclusion
Mobile banking applications carry concentrated customer trust and transaction risk. The combination of biometric bypass, leaked local storage and bypassable TLS pinning could have enabled large-scale account takeover. Comprehensive mobile VAPT covering both platforms plus the backend APIs surfaced what the bank's previous testing had missed.
For Indian banks, NBFCs and fintech with customer-facing mobile apps, RBI now examines mobile pentest evidence directly. Codesecure's mobile VAPT delivers OWASP MASVS Level 2 coverage with developer-actionable findings and free retest, typically completing in 1-2 weeks.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
