Skip to main content
All case studies
Fintech

Mobile App Security Assessment Uncovers Authentication Bypass in a Leading Investment Platform

Critical authentication flaw allowed unauthorized access to 8M+ user portfolios across iOS and Android

Client: Leading Digital Investment Platform

1
Critical authentication bypass chain — full portfolio access for any user
31
Total findings across iOS, Android, and API layers
72 hrs
Time from disclosure to patch for critical authentication bypass
8M+
User portfolios protected from unauthorized access

The Challenge

Rapid User Growth Demanded Confidence in Mobile App Security

A digital investment platform with 8M+ retail investors and INR 1.2 lakh crore in AUM needed a comprehensive mobile security assessment before launching new features including SIP automation and instant redemption. The app handled sensitive financial data including PAN, bank accounts, and portfolio holdings — a breach would be catastrophic for user trust and regulatory standing.

  • 8M+ retail investor accounts with PAN, bank, and portfolio data
  • iOS and Android apps with 40+ API integrations to backend services
  • New features (SIP automation, instant redemption) increasing attack surface
  • SEBI requirement for periodic security audits of investment platforms

The Solution

Deep Mobile Security Assessment: Static + Dynamic + API Layer

Security Brigade performed a three-layer mobile security assessment covering static analysis (binary reverse engineering, hardcoded secrets, certificate pinning), dynamic analysis (runtime manipulation, hook injection, session management), and API-layer testing for all backend integrations. B-52 engine tracked coverage across both platforms ensuring parity between iOS and Android testing.

Services used

mobile-security api-security vapt

Our approach

  1. 01 Static analysis: Reverse-engineered both iOS and Android binaries — found 3 hardcoded API keys and missing certificate pinning on 12 endpoints
  2. 02 Dynamic analysis: Used Frida instrumentation to bypass biometric authentication, manipulate portfolio values in transit, and extract session tokens from memory
  3. 03 API testing: Tested all 40+ mobile API endpoints — discovered IDOR allowing access to any user portfolio via predictable account identifiers
  4. 04 Authentication bypass: Chained biometric bypass + session token extraction + IDOR to demonstrate full unauthorized portfolio access

The Results

Authentication Bypass Chain Fixed Before Feature Launch — 8M Portfolios Protected

Discovered a critical authentication bypass chain that would have allowed an attacker to access any user investment portfolio, including holdings, transaction history, and linked bank accounts. The chained vulnerability was patched within 72 hours of disclosure, and all 31 findings were remediated before the new feature launch.

1
Critical authentication bypass chain — full portfolio access for any user
31
Total findings across iOS, Android, and API layers
72 hrs
Time from disclosure to patch for critical authentication bypass
8M+
User portfolios protected from unauthorized access

Ready to discuss your security needs?

Talk to our team about a similar engagement for your organisation.

Request a Scoping Call