Top 5 bank mobile banking · OWASP MASVS L2 pentest · 7 critical findings · BDDK compliance
One of Turkey's top 5 banks requested an authorized mobile banking pentest from DSET. Target: iOS+Android jailbreak/root detection bypass, MitM, cert pinning, secure storage. With the full MASVS L2 procedure DSET identified 7 critical findings, the bank fixed them, the BDDK audit was passed, and a 3-year strategic partnership began.
01 The Challenge
A top 5 bank mobile banking application, 8M active users. A proactive pentest before the BDDK "mobile banking security" audit. The full MASVS L2 procedure was requested from DSET: 27 control categories, jailbreak detection bypass, cert pinning, secure storage, screen recording protection. The bank's internal team's previous test had been "insufficient."
02 DSET's Approach
T+0 · Lab setup
iOS 17 jailbreak (palera1n) + Android 14 root (Magisk + Zygisk). Frida server, Objection, r2frida, mitmproxy + cert pinning bypass scripts were prepared.
T+1-10 days · MASVS L2 27 categories
The 27 control categories were tested in order: V1 (Architecture), V2 (Data Storage), V3 (Crypto), V4 (Auth), V5 (Network), V6 (Platform), V7 (Code), V8 (Resilience). 7 critical + 12 high + 18 medium findings.
T+10 days · PoC + impact
Bypass #1: jailbreak detection passed with a 4-line Frida hook. #2: cert pinning fixed-key MitM. #3: the SQLite local DB AES key hardcoded in the app. A detailed PoC video + impact demo were prepared.