Get in Touch
Get in Touch

CASE STUDY

Mobile VAPT for a Challenger Bank iOS and Android Application

Executed an OWASP MASVS-aligned mobile penetration test on a challenger bank's iOS and Android apps, uncovering insecure data storage and broken authentication vulnerabilities pre-launch.

Mobile VAPT for a Challenger Bank iOS and Android Application

THE BRIEF

A Challenger Bank Needed Mobile Security Validation Pre-Launch

A challenger bank preparing to launch its iOS and Android applications to 500,000 waitlisted customers needed independent security validation. Regulatory approval required OWASP MASVS compliance evidence, and the bank's own QA team had no mobile security testing capability.

  • FCA approval required independent mobile security assessment before launch
  • OWASP MASVS Level 1 compliance required as a minimum
  • Both iOS and Android applications required testing across 3 OS versions each
  • No internal mobile security testing capability in the engineering team

We were engaged to perform a comprehensive OWASP MASVS-aligned assessment of both applications and work with the team to achieve full compliance.

Services Used:

Mobile Penetration TestingOWASP MASVSiOS & Android Security

TESTIMONIAL

Encyphers were outstanding. They found critical vulnerabilities in our mobile apps that would have been catastrophic at launch. Their detailed findings and hands-on remediation support got us to OWASP MASVS compliance in just 4 weeks. Highly recommend.
Tom Whitfield

Tom Whitfield

CTO, Challenger Bank

SNAPSHOTS

Mobile VAPT Findings & Remediations

Mobile VAPT Findings & Remediations 1
Mobile VAPT Findings & Remediations 2

THE CHALLENGE

The Mobile Vulnerabilities They Had

Both applications contained critical vulnerabilities that would have impacted 500,000 customers at launch:

  • Sensitive financial data stored in plaintext in local device storage
  • Broken biometric authentication bypass exploitable on both platforms
  • Session tokens persisting after logout — enabling session hijacking
  • SSL certificate pinning absent — enabling man-in-the-middle attacks

Any one of these vulnerabilities exploited post-launch would have resulted in direct financial loss for customers and significant regulatory action.

THE SOLUTION

The Mobile Assessment We Delivered

We performed a comprehensive OWASP MASVS assessment across both platforms:

  • Static and dynamic analysis of both iOS and Android applications
  • Runtime manipulation and instrumentation testing using Frida framework
  • Network traffic interception and API security testing in conjunction with mobile client
  • Embedded with the mobile team for a 4-week remediation sprint to achieve MASVS compliance

Both applications achieved OWASP MASVS Level 2 compliance — exceeding the minimum regulatory requirement.

THE RESULTS

Real Outcomes That Protected 500,000 Customers

Security assurance delivered before a major banking launch

OWASP MASVS L2 Achieved

OWASP MASVS L2 Achieved

Both iOS and Android applications achieved MASVS Level 2 compliance — exceeding the minimum regulatory requirement of Level 1.

FCA Approval Secured

FCA Approval Secured

Independent security assessment evidence satisfied the FCA requirement, enabling the regulated launch to proceed on schedule.

18 Vulnerabilities Resolved

18 Vulnerabilities Resolved

All 18 findings — including 4 critical — were fully remediated and verified before the application was submitted for regulatory review.

Plaintext Data Eliminated

Plaintext Data Eliminated

Encrypted storage implemented across all sensitive data fields, with encryption key management integrated with secure enclaves.

Biometric Auth Secured

Biometric Auth Secured

Broken biometric authentication was redesigned and hardened to prevent bypass attacks on both iOS and Android platforms.

Launched on Schedule

Launched on Schedule

500,000 customers were onboarded at launch without a single security incident attributable to the mobile applications.

Contact us

Let's Start Building Your Digital Product

Have questions or are ready to build AI-powered web, ecommerce, or digital solutions? Encyphers helps startups & enterprises create scalable digital products. We respond within 24 hours.

Emailhello@encyphers.com
Call us+1 718 312 8022

Connect quickly with:

Quote

“Encyphers delivered a complete digital transformation for our retail business, combining AI-powered systems, cloud infrastructure, and ecommerce solutions into one fully scalable and high-performance ecosystem. Their strategic approach significantly improved efficiency, customer experience, and overall business growth.”

Yuki Kashiwagi
Yuki KashiwagiVP of Technology, Retail Enterprise

Tell Us About Your Project

Share your requirements or challenges, and our team will design a tailored solution aligned with your business goals.

Contact us

Have questions or are ready to build AI-powered web, ecommerce, or digital solutions? Encyphers helps startups & enterprises create scalable digital products. We respond within 24 hours.

Emailhello@encyphers.com
Call us+1 718 312 8022

Connect quickly with:

Quote

“Encyphers delivered a complete digital transformation for our retail business, combining AI-powered systems, cloud infrastructure, and ecommerce solutions into one fully scalable and high-performance ecosystem. Their strategic approach significantly improved efficiency, customer experience, and overall business growth.”

Yuki Kashiwagi
Yuki KashiwagiVP of Technology, Retail Enterprise

Work With Us

Book a Demo

Discover what Encyphers can do for you. Let's walk through our capabilities and find the right fit for your business.

ArrowTalk to an expert

Explore Career Opportunities

Join Encyphers's team of innovative professionals building the next generation of enterprise digital products.

ArrowView open positions