A Bank Turned to AKATI Sekurity for a Mobile App Security Review. Here’s What Happened.

The mobile banking application that is available on both iOS and Android was meant to be a secure gateway for customers to manage their accounts, transfer funds, and make payments. Instead, it had weaknesses that could have allowed attackers to manipulate transactions, intercept sensitive data, and gain unauthorized access.

The company had taken precautions—encryption, access controls, and security checks were in place. But cyber threats evolve faster than most businesses can keep up, and this bank was no exception. It needed to know what was lurking beneath the surface before real attackers found out first.

A Simple Test, Alarming Results

When AKATI Sekurity ran its Hybrid-PT® Penetration Test, an assessment designed to mimic real-world attacks, the results were immediate.

One of the first red flags was root detection—a control meant to stop the app from running on compromised devices. The app had it, but it didn’t work. With basic manipulation, the test team was able to bypass it, gaining full access to the app’s internal functions. If an attacker had done the same, they could have extracted sensitive data or even modified transactions. Then came SSL pinning, a security feature designed to prevent attackers from intercepting communication between the app and the bank’s servers. The app had it, too. But AKATI Sekurity testers bypassed it within minutes, meaning a hacker could have intercepted banking credentials and transaction details with relative ease.

And then there was the code itself. It was readable—too readable. Without proper obfuscation, anyone with the right tools could reverse-engineer the app, exposing its security controls and giving attackers a roadmap to exploit its weaknesses. The issues didn’t stop there. The app requested permissions beyond what was necessary—access to the device’s storage, contacts, and even location data. Some of these permissions were legitimate, but others opened doors that didn’t need to be open. If a user’s device was already compromised, an attacker could leverage these permissions to access banking data through another route.

Other vulnerabilities were more subtle. Some parts of the app were unintentionally exposed, meaning that another app on the same device could have interacted with them, potentially gaining access to critical functions. The app also failed to properly clear sensitive information when sent to the background, leaving traces in clipboard memory and system screenshots.

Fixing the Problem Before It Became One

The findings weren’t just concerning—they were urgent. The bank’s development team worked quickly to address them, reinforcing root detection, strengthening SSL pinning, and applying obfuscation to make the app’s internal workings harder to decipher. They also tightened security around exported components, removed unnecessary permissions, and ensured sensitive data wouldn’t linger where it didn’t belong.

Beyond these fixes, the institution recognized a larger issue: cybersecurity isn’t a one-time check. To prevent future vulnerabilities, it established a continuous security assessment program, ensuring that each new version of the app would undergo rigorous testing before release.

A Broader Lesson in Mobile Security

Security is not just about fixing what is broken; it is about anticipating what could go wrong before it does. Mobile banking apps, handling everything from payments to personal data, are high-value targets for attackers. A flaw that seems insignificant today could become a major vulnerability tomorrow. This case highlighted an uncomfortable reality. Even a well-designed application, built by a security-conscious institution, can still have weak points. The vulnerabilities that AKATI Sekurity uncovered were not just theoretical risks. They were real, exploitable flaws that an attacker could have discovered just as easily.

For financial institutions, cybersecurity is no longer a background concern reserved for IT teams. It directly affects customer confidence, regulatory compliance, and the bottom line. The real question is not whether an attack will happen, but whether an organization is prepared to detect and respond before damage is done.