Don't trust. Verify!
One of our leading clients asked us for penetration tests of a newly created mobile application that manages users' financial information. As the application was developed by a supplier company, in addition to verifying the security, we were also asked by the client to verify compliance with the criteria that the application was designed to meet.
During the penetration tests, we discovered several very serious vulnerabilities in the field of authentication and authorization, which could allow an attacker to access the profile and financial information of all users of the product. This very critical data could be used by hackers, for example, for phishing campaigns aimed at users, or directly in attacks on institutions. If this situation occurred already in real operation, the companies would be in danger of large financial losses, associated with the loss of the client base and damage to reputation. However, because the penetration tests took place in time for the publication of the application into real operation, this serious incident was prevented.
In addition, the analysis of the design and the real state of the application pointed to some deviations from the agreed requirements, for example in the area of working with user documents, which is subject to the GDPR Act, which the supplier insufficiently secured in the application. The client was thus able to negotiate accelerated free repairs within the contract, and even increase the level of security of his mobile application.