Penetration Testing for a European Digital Banking Platform

The client had built a full-stack digital banking platform from scratch — mobile apps (iOS/Android), a React-based web portal, and a microservices backend processing real-time payments, KYC verification, and account management. They were weeks away from regulatory approval and production launch.

Their internal team had conducted basic security scans, but the board and their banking regulator required an independent third-party penetration test covering the full attack surface: APIs, mobile clients, web application, authentication flows, and the payment processing pipeline.

We conducted a 3-week gray-box penetration test, starting with threat modeling to prioritize the highest-risk attack surfaces. Our focus areas:

• 1. API Security Testing — 47 REST endpoints, testing for IDOR, broken authentication, mass assignment, and business logic flaws in payment flows.
• 2. Authentication & Session Management — OAuth 2.0 implementation, JWT handling, MFA bypass attempts, and session fixation testing across mobile and web.
• 3. Mobile Application Analysis — Binary reverse engineering, certificate pinning validation, local data storage inspection, and runtime manipulation.
• 4. Payment Pipeline — Transaction manipulation, race conditions in concurrent transfers, and currency conversion logic abuse.

We identified 23 vulnerabilities across the platform:

The most critical findings included an IDOR vulnerability in the account statement API that allowed any authenticated user to download statements of other customers by modifying the account reference ID. We also discovered a JWT refresh token rotation flaw that allowed indefinite session persistence, bypassing the intended 24-hour expiry.

In the payment pipeline, a race condition in the concurrent transfer endpoint allowed double-spending under specific timing conditions. Additionally, the mobile app stored the user's PIN in plaintext in shared preferences on Android, accessible to any app with root or backup extraction capabilities.

All 4 critical and 7 high-severity findings were remediated within 10 days. We conducted a targeted retest to verify fixes, confirming all critical issues were properly resolved. The platform launched on schedule with regulatory approval, and the client adopted our recommended security testing pipeline for ongoing releases.

The engagement also resulted in a retainer agreement for quarterly penetration testing and security review of new features before each release cycle.