Use Case: Fintech

Scope:

Digital wallet mobile application with Android version was penetrated. The test was performed in a GreyBox manner and simulated a malicious user with partial knowledge regarding the system functionality.

Time Frame:

8 working days 5 days penetration of Android version 3 days of data analysis, elimination of false positives and elaboration of remediation report

Steps perfomed:

  1. Planning
  2. Analysis of mobile structure and linked technology
  3. Review of mobile applications WITH and WITHOUT user
  4. Error search in design and programming
  5. Business Logic Review
  6. Client interaction review
  7. Review of confidentiality and source code integrity of the application
  8. Result generation

Conclusions:

In the FinTech businesses one of the most highlighted recommendations is to Implement a certificate pinning method to protect the communication between client and server.

At Puffin Security, we enjoy contributing knowledge regarding security projects to complex organizations as our team is composed by Certified Security Engineers who follow codes of conduct (The ISACA, (ISC)2 and ISSA codes of conduct – likewise the OSSTMM “Rules of Engagement”). For more information, contact us here or info@puffinsecurity.com

Tags: