You are opening our English language website. You can keep reading or switch to other languages.

Penetration Testing of Investment Web Platform and Mobile App

Location

UAE

Industry

Finance

Services

Security Testing Services

Client

Our client is a UAE-based startup made up of a team of world-class experts in investment, finance, design, data science, and technology who aim to deliver the best investment experience. By wanting to democratize investing for its community, the client has developed a financial platform and app that lets customers easily and intuitively trade stocks and ETFs and save and invest money passively, all in one place.

Today, the platform offers a one-stop shop for hands-off auto-investing, self-directed trading of stocks, ETFs, Crypto, and a place to park their cash while earning interest. The company’s hybrid model provides access to on-demand investment experts and a human customer support team that are available to answer clients’ questions.

Business Challenge

Striving to provide a 100% secure platform, the client engaged DataArt to perform penetration testing of their web platform and mobile applications. The penetration test's main goal was to check if it is possible to compromise applications to get unauthorized access to company resources or its users' data.

Solution

DataArt utilized a proprietary penetration testing methodology based on the most well-known and established penetration testing guides such as the Open Web Application Security Project Testing Guide, Open-Source Security Testing Methodology Manual, Penetration Test Guidance for PCI DSS Standard, and NIST Technical Guide to Information Security Testing and Assessment.

The methodology incorporated the following five phases:
  • Planning: Working closely with the client to clearly define and document the assessment’s objectives, scope, and rules of engagement.
  • Information Gathering: Collecting and examining key information about the target applications and related infrastructure to become familiar with the functionality and the placement of application security controls.
  • Vulnerability Discovery and Analysis: Utilizing both manual and automated approaches, identifying possible security issues that can compromise sensitive information and unauthorized access.
  • Exploitation: Investigating potential security issues and attempting exploits, which helps to confirm issues’ criticality, obtain evidence, and obtain additional surface for testing (within the authorized boundaries).
  • Reporting: Compiling a report with a non-technical executive summary and detailed technical sections with a prioritized list of findings and practical recommendations for their remediation.
For mobile applications, DataArt focused on reverse-engineering application logic and its security controls, dynamic application analysis, and inspection of locally stored data. DataArt analyzed all application communications with remote services and ensured the security of any transmitted data.

During the assessment, DataArt could not compromise the platform or relevant infrastructure. However, the assessment revealed several vulnerabilities with high, medium, and low risks, including:
  • Insecure local storage of user data within mobile apps
  • Insufficient anti-reversing protection of mobile apps
  • Insecure web session management mechanisms
  • Weak user password quality control and username enumeration
  • Cross-site scripting vulnerabilities within the administrative interface
  • Leakage of potentially sensitive information
  • Use of vulnerable dependencies
Leaving these vulnerabilities unattended could, in combination with other capabilities or information, result in the compromise or unauthorized access of a network, application, or information.

DataArt provided recommendations as to how to eliminate each vulnerability.

DataArt’s assessment proved the client’s platform offers a high degree of security, making it almost impossible to compromise the platform. The assessment also helped individualize vulnerabilities that might cause a threat of unauthorized access to sensitive information.

DataArt proposed a solution that would help to further reinforce the platform. Now that the client has addressed those vulnerabilities, their platform can be considered unexploitable.

Tools Used by the DataArt Pen Test Team Include:

Burp Suite Pro
Nessus Professional
DirSearch
SQLmap
Nmap
Frida
Chainbreaker
Cycript
FinanceCyber SecurityPenetration Testing
Share
Contact Us
Please provide your contact details, and we will get back to you promptly.
Company
Services
Industries
Insights
Clients
Contact Us
Anonymous Report
Sustainability Report
New York
London
Zug
Munich
All locations

By using our site, you acknowledge that you have read and understand our Privacy and Cookie Policy.

All trademarks listed on this website are the property of their respective owners. All rights reserved.

Copyright © 2025 DataArt