Triple S — Security Assessment

Overview

A full security assessment of the Triple S Android application as lead penetration tester, following the OWASP Mobile Top 10 and MASVS. The engagement identified critical vulnerabilities, mapped them to compliance failures, and delivered a remediation plan with evidence.

The problem

Mobile apps frequently ship with insecure data storage, weak authentication, and exposed secrets that never surface in functional testing. Triple S needed an adversarial review before going further.

Tech stack

Key features

• Lead penetration tester for the engagement
• Assessment driven by OWASP Mobile Top 10 and MASVS
• Findings: weak authentication, exposed API keys, IDOR, insecure data storage
• Documented MASVS-RESILIENCE failures and certificate-pinning misconfiguration
• Firebase misconfiguration and rate-limiting analysis

Engineering highlights

• Combined static analysis (MobSF, JADX) with dynamic instrumentation (Frida) and traffic interception (Burp Suite)

Outcome

• Documented critical vulnerabilities with reproduction evidence
• Delivered a prioritized remediation plan mapped to MASVS controls