PSW-Mobile

Application: VAPT
Report

1
PREPARED FOR RIKSOF (Private) Limited

Pakistan Single Window #603 Horizon Tower,

Block 3, Clifton,
Pakistan Single Window Karachi 75600,
Ground Floor, Nespak Building, Near Pakistan
State Bank
G-5/2, Islamabad Call: +923132226901
Email: [email protected]

PSW-Mobile Application: VAPT Report 2

Table of
Contents
Executive Summary
Brief overview of the application and scope of testing
Summary of critical findings
Overall risk posture and recommendations
Scope
Application name and version
Platforms tested
Testing period and tools used
Methodology
Overview of testing approach (manual, automated)
Standards and frameworks applied (OWASP Mobile Top 10, OWASP MASVS,
NIST SP 800-163)
Findings
Prioritized action items to address findings
Responsible teams and timelines
Security Compliance Checklist
VAPT Report Sign-Off

PSW-Mobile Application: VAPT Report 3

Executive Summary

Brief overview of the application and scope of

testing
The application is a mobile platform designed for financial transaction management and
user account handling. It includes modules for authentication, payment processing, user
profile management, and third-party integrations. The scope of testing included both
static and dynamic analysis of the Android and iOS builds, API security testing, and
evaluation of third-party libraries and SDKs.

Summary of critical findings

The assessment identified several critical vulnerabilities, including hardcoded API keys,
improper session management, and unencrypted sensitive data storage. These issues
could lead to unauthorized access, data leakage, and privilege escalation if exploited.

Overall risk posture and recommendations

The overall risk posture is medium to high due to the presence of several exploitable
vulnerabilities affecting core functionality and data protection. It is recommended to
remediate the identified issues promptly, implement secure coding practices, and
establish a regular cycle for security testing and code reviews.

PSW-Mobile Application: VAPT Report 4

Scope

Application name and version

● App Name: Pakistan Single Window

● Version: 1.0.1 (Build Number: 101)

Platforms tested
● Android (Version 13 and above)

● iOS (Version 16 and above)

● Backend APIs (.Net, C#)

Testing period and tools used

Testing Period
1 week

Tools Used
● MobSF for static and dynamic analysis

● OWASP ZAP for API penetration testing

● SonarQube for code quality and security review

PSW-Mobile Application: VAPT Report 5

Methodology
Overview of testing approach (manual,
automated)
A hybrid approach was used combining automated tools and manual penetration testing.
Automated testing included static code analysis, dynamic behavior monitoring, and
vulnerability scanning using tools like MobSF, SonarQube, and ZAP. Manual testing was
conducted to validate findings, explore edge cases, and simulate real-world attack
scenarios, including attempts at privilege escalation, data tampering, and session
hijacking.

Standards and frameworks applied (OWASP

Mobile Top 10, OWASP MASVS, NIST SP 800-163)
The following security standards and frameworks were applied during the assessment:

● OWASP Mobile Top 10: For identifying and mitigating the most common and
impactful mobile security risks.

● OWASP MASVS (Mobile Application Security Verification Standard): To

evaluate the app against a comprehensive set of mobile security requirements.

● NIST SP 800-163: To ensure secure mobile app development practices and

software assurance processes were in place.

PSW-Mobile Application: VAPT Report 6

Findings
Add all identified vulnerabilities with details here

# Vulnerability Description Risk Level Recommendation

1 Example: API keys found High Remove keys from

Hardcoded API hardcoded in the app code; use secure vaults
Key code

PSW-Mobile Application: VAPT Report 7

Remediation Plan
Prioritized action items to address findings
● High Priority

○ Remove hardcoded API keys and secrets

○ Implement secure storage using Keychain (iOS) and Keystore (Android)

○ Fix session token expiration and validation issues

● Medium Priority
○ Encrypt all sensitive data at rest

○ Remove debugging tools and logs from production builds

○ Strengthen input validation on all API endpoints

● Low Priority
○ Optimize permissions usage

○ Review and minimize third-party SDK access

○ Conduct regular static code scans pre-release

Responsible teams and timelines

Task Responsible Team Target Completion

Remove hardcoded Mobile Development May 25, 2025

secrets

PSW-Mobile Application: VAPT Report 8

Security Compliance
Checklist
# Control Description Standard Status Comments
1 Ensure credentials (API keys, OWASP Mobile Pending
secrets, tokens) are not Top 10
hardcoded into the app.
2 Enforce multi-factor OWASP Mobile Pending
authentication (MFA). Top 10
3 Ensure session tokens expire OWASP Mobile Pending
and are invalidated on logout Top 10
or inactivity.
4 Do not store sensitive data OWASP Mobile Pending
(passwords, tokens, PII, Top 10
financial data) locally unless
encrypted.
5 Enforce authorization on the OWASP Mobile Pending
server side, not just in the UI. Top 10
6 Use code obfuscation and OWASP Mobile Pending
encryption to protect sensitive Top 10
logic.
7 Use secure storage OWASP Mobile Pending
mechanisms like Keychain Top 10
(iOS) and Keystore (Android).
8 Disable cleartext traffic. Clear- OWASP Mobile Pending
text traffic is vulnerable to Top 10
man-in-the-middle (MITM)
attacks.
9 Use OS-provided secure OWASP Mobile Pending
storage: Keychain (iOS), Top 10
EncryptedSharedPreferences
(Android).
10 Sanitize logs to avoid leaking OWASP Mobile Pending
sensitive data. Top 10
11 Ensure keys are stored OWASP Mobile Pending
securely and never hardcoded. Top 10

PSW-Mobile Application: VAPT Report 9

12 Prevent horizontal and vertical OWASP Mobile Pending
privilege escalation. Top 10
13 Validate all access rights for OWASP Mobile Pending
each request. Top 10
14 Prevent exposing debugging OWASP Mobile Pending
information and logs in Top 10
production.
15 Remove unused code, debug OWASP Mobile Pending
symbols, and developer logs Top 10
before release.
16 Remove test endpoints, admin OWASP Mobile Pending
features, and debug code Top 10
before release.
17 Conduct a code audit to OWASP Mobile Pending
ensure no backdoors or Top 10
hidden features remain.
18 Disable developer options and OWASP Mobile Pending
debugging interfaces in Top 10
production builds.
19 Sensitive data is not stored OWASP Pending
unencrypted on the device. MASVS
20 No sensitive data is written to OWASP Pending
system logs, the clipboard, or MASVS
exposed via screenshots.
21 Authentication is handled on OWASP Pending
the server side using secure MASVS
protocols.
22 Tokens are securely stored OWASP Pending
and renewed without MASVS
reauthentication leakage.
23 Proper error handling is OWASP Pending
implemented for network MASVS
failures.
24 Enforce intent filtering OWASP Pending
(Android) and App Transport MASVS
Security (iOS).
25 Validate and sanitize data OWASP Pending
from all external sources. MASVS
26 Static code analysis tools OWASP Pending
(SonarQube) have been run MASVS
and passed.
27 Debugging, hooking, and OWASP Pending

PSW-Mobile Application: VAPT Report 10

emulator detection measures MASVS
are in place.
28 Threat model reviewed and OWASP Pending
updated for the current MASVS
release.
29 App only requests necessary OWASP Pending
permissions. MASVS
30 Build is compiled in release OWASP Pending
mode with all debug info MASVS
stripped.
31 App version and build OWASP Pending
numbers are updated and MASVS
consistent.
32 MASVS coverage is OWASP Pending
documented per release MASVS
(Documented on OWASP
MASVS Excel Workbook).
33 No excessive permissions NIST SP 800- Pending
requested (minimal privilege 163
principle).
34 Sensitive data encrypted at NIST SP 800- Pending
rest. 163
35 No sensitive data is stored in NIST SP 800- Pending
logs, local storage, or 163
backups.
36 Data minimization principles NIST SP 800- Pending
applied (only necessary data 163
collected and stored).
37 No insecure inter-app NIST SP 800- Pending
communication. 163
38 Session management is NIST SP 800- Pending
secure. 163
39 Third-party SDKs do not NIST SP 800- Pending
violate user privacy or security 163
policies.
40 No use of outdated or NIST SP 800- Pending
unsupported libraries. 163
41 Performs intended NIST SP 800- Pending
functionality only (no hidden 163
or undocumented features).
42 Does not perform malicious or NIST SP 800- Pending
suspicious behavior. 163

PSW-Mobile Application: VAPT Report 11

43 Static code analysis NIST SP 800- Pending
performed (Tool: SonarQube). 163
44 Dynamic behavior is tested on NIST SP 800- Pending
emulators and real devices. 163
45 Penetration testing using Zed NIST SP 800- Pending
Attack Proxy (ZAP) by 163
Checkmarx.
46 Mobile pen testing framework NIST SP 800- Pending
(MobSF) used for static and 163
dynamic analysis on app
binaries.
47 Tamper detection and NIST SP 800- Pending
integrity checks are in place. 163
48 Security requirements NIST SP 800- Pending
documented and verified. 163
49 All findings from security NIST SP 800- Pending
assessments are reviewed 163
and addressed.
50 Security sign-off required NIST SP 800- Pending
before app store release. 163
51 Only low-risk or approved NIST SP 800- Pending
medium-risk releases are 163
deployed.
52 Mitigations are documented NIST SP 800- Pending
for any residual risks. 163

PSW-Mobile Application: VAPT Report 12

VAPT Report Sign-Off
We hereby acknowledge the completion of the Vulnerability Assessment and
Penetration Testing (VAPT) for the application. All identified findings have been
documented, and corresponding recommendations have been provided. This report has
been reviewed by relevant stakeholders, and appropriate actions have been planned or
taken to mitigate identified risks.

For and on behalf of PSW For and on behalf of RIKSOF

—---------------------- —----------------------

Abdul Wahid Muhammad Raafay Ali

VP Procurement Director Business Development

Witness 1: Witness 2:

—---------------------- —----------------------

Sidra Hummayun Hafiz Faheem Altaf

Deputy Manager Procurement Lead Digital Marketing & Tech Support

PSW-Mobile Application: VAPT Report 13