Sathya saw that the app had no certificate pinning, without a public key all of the app’s users were exposed to Man in the Middle(MitM) attacks and logging all sessions IDs so that a third party would be able to hijack a user’s account without the need to authenticate.
After this Sathya also found a way to reverse account the money transfer process in such a way that would have made it possible to clear out all of the bank’s accounts.
This highlights the importance of the OWASP Mobile Top 10 vulnerabilities list and the need for mobile app security testing before product release, a small price to pay against the threat of losing $25bn…
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.
