What makes Indian fintech mobile apps different
Most mobile pentest checklists are written for global apps. Indian fintech apps have specific security requirements that don't appear in generic OWASP guidance:
- RBI Mobile Banking Master Direction requires specific session timeout, transaction signing, and device binding behaviour
- UPI integration introduces a unique attack surface (intent-redirect attacks, deep-link exploitation)
- V-CIP (video KYC) flows must be tamper-evident under the IT Rules
- Aadhaar/eKYC integration must follow UIDAI authentication API security guidance
- DPDP Section 8(4) requires "reasonable security safeguards" for personal data — measurable through pentest
What's in scope
A standard fintech mobile pentest covers:
Static analysis (decompile, reverse engineer):
- API endpoints exposed in the binary
- Hardcoded secrets, tokens, encryption keys
- Code obfuscation effectiveness
- Anti-tampering / anti-debugging mechanisms
- Insecure data storage (SharedPreferences, NSUserDefaults, SQLite, internal storage)
- TLS pinning bypass attempts
- Authentication flow attacks
- Authorization checks (BOLA / IDOR on mobile API)
- Session management
- Biometric authentication implementation
- Local data encryption at rest
- Android: APK security, ProGuard config, root detection, Intent vulnerabilities, deep-link hijacking
- iOS: jailbreak detection, URL scheme hijacking, keychain security, App Transport Security
- Cross-platform (React Native / Flutter): bundle inspection, JS bridge security
- UPI intent flow (intent redirection, deep-link parameter pollution)
- V-CIP recording tamper-evidence
- Aadhaar masking + redaction
- PCI-DSS scope assessment for card data flows
- Transaction signing / authorization
- Device binding implementation
- Session timeout per RBI guidance
- MFA on financial transactions
- Out-of-band authentication for high-value transactions
The most common findings
Findings from our last 50 Indian fintech mobile pentests, in order of frequency:
- TLS pinning absent or bypassable (38 of 50 apps)
- Anti-tampering missing or trivially bypassed (32 of 50)
- BOLA / IDOR on API endpoint enumerable through app UI (28 of 50)
- Session token stored insecurely (24 of 50)
- Deep-link parameter pollution allowing intent redirection (19 of 50)
- Biometric bypass via reflection / code injection (17 of 50)
- Insecure logging containing PII / tokens (16 of 50)
- Insufficient root/jailbreak detection (14 of 50)
- Aadhaar number visible in screenshots/logs (12 of 50)
- Hardcoded API keys for third-party services (11 of 50)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe 5-day delivery
Day 1: Recon + static analysis
- App binary obtained (via Play Store/App Store + sandboxed test build)
- APK/IPA decompiled
- Static analysis automated tools (mobsf, jadx, hopper) + manual review
- Initial findings list
- TLS pinning analysis
- API endpoint mapping (Burp Suite proxy)
- Authentication flow testing
- Session management testing
- API authorization checks across all endpoints discovered
- Multi-account testing for cross-tenant access
- Privilege escalation attempts
- Android: Intent / deep-link / WebView security
- iOS: URL scheme / Keychain / WKWebView security
- Fintech: UPI flow, V-CIP, KYC data handling
- RBI-specific session and transaction tests
- Findings categorised: Critical / High / Medium / Low
- Each finding includes: PoC, business impact, remediation code example
- 90-minute debrief with the customer's mobile engineering team
Pricing
| Scope | Fee |
|---|---|
| Single platform (Android OR iOS), 1 app | ₹1.5L |
| Both platforms, 1 app | ₹2.5L |
| Both platforms + fintech-specific deep-dive (UPI, V-CIP, KYC) | ₹4L |
| Both platforms + mobile + backend API integration | ₹6L |
Pre-audit prep we expect from you
To compress the audit to 5 days, the customer provides:
- Recent app build (or Play Store / App Store link)
- Test credentials for 2 accounts (different privilege levels)
- API documentation if available
- 2-hour technical kickoff with the mobile engineering lead
How to start
A mobile pentest engagement starts with a 60-minute scoping call. We confirm platforms, fintech-specific scope, and timing. Engagement letter signed within 3 working days. Audit starts the week after.
Schedule the mobile pentest scoping call →
Related: Case Study: UPI App Hardened for RBI Audit · Mobile Security for Indian Banks
