A UPI app with 12 lakh active users had a scheduled RBI audit in 6 weeks and 23 MASVS findings flagged. The Bachao.AI mobile pentest + remediation sprint closed all findings 2 weeks before the audit.

Case Study: UPI App Hardened Against MASVS Findings Before RBI Audit

The situation

A UPI payments app (we'll call them "PayCo") with 12 lakh monthly active users in Tier-2 cities had completed their last RBI audit cycle 11 months prior. The next audit was scheduled. PayCo's CISO commissioned a pre-audit mobile pentest to identify gaps.

PayCo's profile:

80 employees, 12 lakh MAU
Android + iOS native apps (Kotlin / Swift)
React Native shared business logic layer
AWS backend
RBI-regulated payment aggregator
Last audit findings: 4 Medium, closed within 60 days

The pentest (Week 1)

The Bachao.AI 5-day pentest returned:

Severity	Count
Critical	1
High	8
Medium	11
Low	3
Total	23

Sample Critical/High findings:

C-001 — UPI intent redirection on Android allowing transaction hijack

The app accepted UPI intent parameters from external apps without validating origin. An attacker app could intent the PayCo app with a malicious payment URL → if the user confirmed, payment went to attacker's VPA.

PoC: a 3-line malicious Android intent demonstrated end-to-end transaction redirection.

Remediation: validate intent source, signed-only intents, explicit user confirmation with merchant name display.

H-001 — TLS pinning bypass on iOS

The app used certificate-pinning library but pinned to an intermediate CA. Attacker with control of intermediate could intercept. (Common implementation mistake.)

Remediation: pin to leaf certificate + 1 backup, with proper rotation procedure.

H-002 — Biometric authentication bypass via Frida script

The app's biometric auth wasn't bound to a server-side challenge. Frida script could mock biometric success without actual fingerprint/face authentication.

Remediation: server-issued challenge + biometric-attested response (Android Biometric Crypto API + iOS LocalAuthentication with secure enclave).

H-003 — Aadhaar number visible in app logs

During KYC flow, the masked-Aadhaar field was logged unmasked to console (visible via adb logcat on rooted device).

Remediation: explicit log redaction for KYC fields; disable verbose logging in release builds.

H-004 through H-008 — IDOR on transaction history API (cross-user data), insecure biometric fallback to PIN, session token reuse across devices, insufficient root detection, deep-link parameter pollution.

The remediation sprint (Week 2-3)

Bachao.AI mobile engineers worked alongside PayCo's mobile team for 2 weeks:

Week 2:

C-001 (UPI intent redirection) resolved Day 8 — PayCo's senior Android engineer + Bachao's mobile specialist worked through the intent validation refactor
H-001 (TLS pinning) resolved Day 10 — pinning to leaf cert + rotation procedure documented
H-002 (biometric bypass) resolved Day 12 — server-side challenge implemented end-to-end

Week 3:

H-003 through H-008 resolved
Code review of fixes by Bachao mobile lead
Re-test of all 9 Critical/High findings — all confirmed closed
11 Medium findings closed (mostly platform-specific hardening: ProGuard rules, root detection improvements, deep-link allowlist)
3 Low findings closed (informational hardening)

End of Week 3: all 23 findings closed. Re-test confirmation report delivered.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Pre-audit packaging (Week 4)

Bachao.AI produced the evidence package PayCo's CISO took to the RBI auditor:

Pre-audit pentest report (23 findings)
Remediation log (each finding closed with code commit reference)
Re-test confirmation (Bachao.AI testing post-remediation)
Updated mobile app security policy

The RBI audit (Week 6)

PayCo's RBI audit cycle concluded with 0 cybersecurity findings on the mobile app surface. The auditor observation: "Comprehensive pre-audit work evident."

What it cost

Line item	Cost
Bachao.AI mobile pentest (Both platforms + fintech deep-dive)	₹4L
Bachao.AI remediation sprint (2 weeks)	₹6L
Bachao.AI re-test + evidence package	₹2L
Total mobile security work	₹12L

PayCo's CFO estimated an RBI audit finding on the mobile surface would have cost ₹40L+ in remediation under regulatory pressure + potential operational restriction during the corrective period. The ₹12L closed the risk.

What PayCo's CISO said

"Mobile security audits often produce reports we can't action — too generic. Bachao's report had actual PoCs. Their engineers wrote the actual Kotlin and Swift fixes alongside our team. That's the only way 23 findings get closed in 2 weeks. We kept them on a quarterly mobile review retainer after the audit."

Pattern this engagement followed

This is a common shape for Bachao.AI mobile security engagements with Indian fintechs:

Regulatory deadline (RBI, SEBI, or sector-specific)
Internal mobile team capable but lacking specific security depth
Real findings, not abstract risk
Remediation work performed jointly, not handed off

If your fintech is in a similar situation:

Schedule the mobile pentest scoping call →

The situation

PayCo's profile:

80 employees, 12 lakh MAU
Android + iOS native apps (Kotlin / Swift)
React Native shared business logic layer
AWS backend
RBI-regulated payment aggregator
Last audit findings: 4 Medium, closed within 60 days

The pentest (Week 1)

The Bachao.AI 5-day pentest returned:

Severity	Count
Critical	1
High	8
Medium	11
Low	3
Total	23

Sample Critical/High findings:

C-001 — UPI intent redirection on Android allowing transaction hijack

PoC: a 3-line malicious Android intent demonstrated end-to-end transaction redirection.

Remediation: validate intent source, signed-only intents, explicit user confirmation with merchant name display.

H-001 — TLS pinning bypass on iOS

The app used certificate-pinning library but pinned to an intermediate CA. Attacker with control of intermediate could intercept. (Common implementation mistake.)

Remediation: pin to leaf certificate + 1 backup, with proper rotation procedure.

H-002 — Biometric authentication bypass via Frida script

The app's biometric auth wasn't bound to a server-side challenge. Frida script could mock biometric success without actual fingerprint/face authentication.

Remediation: server-issued challenge + biometric-attested response (Android Biometric Crypto API + iOS LocalAuthentication with secure enclave).

H-003 — Aadhaar number visible in app logs

During KYC flow, the masked-Aadhaar field was logged unmasked to console (visible via adb logcat on rooted device).

Remediation: explicit log redaction for KYC fields; disable verbose logging in release builds.

The remediation sprint (Week 2-3)

Bachao.AI mobile engineers worked alongside PayCo's mobile team for 2 weeks:

Week 2:

C-001 (UPI intent redirection) resolved Day 8 — PayCo's senior Android engineer + Bachao's mobile specialist worked through the intent validation refactor
H-001 (TLS pinning) resolved Day 10 — pinning to leaf cert + rotation procedure documented
H-002 (biometric bypass) resolved Day 12 — server-side challenge implemented end-to-end

Week 3:

H-003 through H-008 resolved
Code review of fixes by Bachao mobile lead
Re-test of all 9 Critical/High findings — all confirmed closed
11 Medium findings closed (mostly platform-specific hardening: ProGuard rules, root detection improvements, deep-link allowlist)
3 Low findings closed (informational hardening)

End of Week 3: all 23 findings closed. Re-test confirmation report delivered.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Pre-audit packaging (Week 4)

Bachao.AI produced the evidence package PayCo's CISO took to the RBI auditor:

Pre-audit pentest report (23 findings)
Remediation log (each finding closed with code commit reference)
Re-test confirmation (Bachao.AI testing post-remediation)
Updated mobile app security policy

The RBI audit (Week 6)

PayCo's RBI audit cycle concluded with 0 cybersecurity findings on the mobile app surface. The auditor observation: "Comprehensive pre-audit work evident."

What it cost

Line item	Cost
Bachao.AI mobile pentest (Both platforms + fintech deep-dive)	₹4L
Bachao.AI remediation sprint (2 weeks)	₹6L
Bachao.AI re-test + evidence package	₹2L
Total mobile security work	₹12L

What PayCo's CISO said

Pattern this engagement followed

This is a common shape for Bachao.AI mobile security engagements with Indian fintechs:

Regulatory deadline (RBI, SEBI, or sector-specific)
Internal mobile team capable but lacking specific security depth
Real findings, not abstract risk
Remediation work performed jointly, not handed off

If your fintech is in a similar situation:

Schedule the mobile pentest scoping call →

Case Study: UPI App Hardened Against MASVS Findings Before RBI Audit

The situation

The pentest (Week 1)

The remediation sprint (Week 2-3)

Pre-audit packaging (Week 4)

The RBI audit (Week 6)

What it cost

What PayCo's CISO said

Pattern this engagement followed

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

Case Study: Enterprise Reduced External Attack Surface 60% in 90 Days

Attack Surface Management India — Bachao.AI Methodology

Case Study: SaaS Startup Shifted Left, Reduced Production Vulns 80%

Ready to secure your business?

Case Study: UPI App Hardened Against MASVS Findings Before RBI Audit

The situation

The pentest (Week 1)

The remediation sprint (Week 2-3)

Pre-audit packaging (Week 4)

The RBI audit (Week 6)

What it cost

What PayCo's CISO said

Pattern this engagement followed

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

Case Study: Enterprise Reduced External Attack Surface 60% in 90 Days

Attack Surface Management India — Bachao.AI Methodology

Case Study: SaaS Startup Shifted Left, Reduced Production Vulns 80%

Ready to secure your business?