HIGH2023

Supply Chain Risk in Mobile Banking Application

Mobile Application Security Assessment

The Scenario

A digital bank with 500,000 active users requested a mobile application security assessment of their iOS and Android apps. The focus was on authentication flows and data protection at rest and in transit.

The Impact

Our assessment uncovered a vulnerable third-party analytics SDK embedded in the app that was exfiltrating sensitive data to an unauthorized endpoint - a supply chain compromise the client was unaware of.

The Outcome

The compromised SDK was removed and replaced within 48 hours. The client implemented a mobile SDK vetting process and engaged for annual mobile assessments.

Exposure Avoided

Mandatory reporting penalties through proactive discovery.

Key Findings

Critical

Third-party analytics SDK exfiltrating user PII (name, email, device fingerprint) to non-disclosed endpoint in Eastern Europe

High

Biometric authentication bypassable via Frida hook - app fell back to PIN without re-authentication requirement

High

Account balance and transaction history cached in cleartext in SQLite database accessible without root on Android

Medium

SSL certificate pinning bypassable using standard Frida script - no custom pinning implementation

Request a Similar Audit

Secure Your
Infrastructure

Don't wait for a breach to happen. Let our elite operators identify your critical vulnerabilities first.