Case Study: Online Ticket Purchase Services Provider achieves enhanced Android app security and safeguarded user credentials with Apriorit

Online Ticket Purchase Services Provider - Customer Case Study

Online Ticket Purchase Services Provider engaged Apriorit to perform black-box mobile security testing of their Android ticketing app. The primary challenge was protecting account access data in motion and at rest: Apriorit found that SSL-protected traffic was still vulnerable to man-in-the-middle interception (allowing sniffed access tokens and credentials to be reused) and that sensitive data, including tokens and credentials, were stored in an unencrypted local SQLite cache; the app also exhibited incomplete protections around rooted devices.

Apriorit delivered a set of fixes and a working prototype: runtime checks to detect rooted devices, SSL pinning, runtime access-key generation (credentials hash + salt + device ID) with AES-encrypted message bodies, and encryption of local databases, along with recommendations to avoid storing credentials on-device. After the Online Ticket Purchase Services Provider implemented the recommendations, the revised app passed Apriorit’s second-round check. The engagement required 60 man-hours for testing and 40 man-hours to develop the prototype, and resulted in mitigation of token/credential theft and MITM risks, substantially reducing the app’s attack surface.