How Indium performed VAPT to get rid of unauthorized access to premium features? (A Success Story)

E-reading is more popular than ever before, and the COVID outbreak has really turned our kids completely into e-learning. 2020 was the digital year completely, and it has enhanced the growth rate of educational apps by 30%. The year has positively impacted digital businesses, and there is better revenue for all the software applications than in previous years.

In this blog post, we will look at the issue faced by our client on their software, our VAPT solutions to their problems, and the positive business impact created by our testing solutions.

A glimpse of our client portfolio and the reason behind partnering with us!

Our client is a software development enterprise that offers solutions for E-reading, information consumptions, and document visualization. They render software solutions that create digital PDF experiences helping the application users to connect with facts and information across sources and save the content for references.

The client’s application works on iPad. It enables users to work on multiple documents simultaneously and becomes an essential app for communities in law, technical document verification, contract writers, RFPs, etc. Our client offers a free download of the e-reading application to all the users and enhances some advanced features to the premium users with paid subscriptions.

Our client’s application required a QA as the users and hackers were trying to break the software’s premium walls and leverage the advanced premium features without the subscription.

Hence, the client partnered with us to go through a vulnerability assessment to help them identify the loopholes in premium access. Also, they want the premium users to remain confidential with their key/license to prevent unauthorized access.

Client’s requirements and our VAPT solution

A look into our client requirements.

The client was facing a tough phase in their business as the users and hackers were breaking the premium walls of the application and leveraging the advanced features of the paid application model.

This, in turn, reduced their number of subscribers as premium users were sharing their license to the app users, and hackers were cracking the advanced version and sharing the software. Which required urgent notice and the need for an experienced software testing company. Our client approached us with a set of requirements.

  • They required a detailed report of all the security loopholes that can be leveraged by a user/hacker to access the premium account features in the application.
  • The client wanted us to verify the vulnerabilities of reverse engineering/decompiling the application code base that leads to unauthorized access of premium features.
  • They opted for 360-degree security testing of the software with a VAPT approach and reports that infer defects and business impacts pertaining to these actions.

They approached the Indium team to provide solutions for this vulnerability around their software.

How Indium team offered an automated QA strategy with a VAPT approach to get rid of unauthorized access to premium features?

Indium Software is a pioneer in Quality Assurance solutions and has strong expertise in security testing. Indium Software’s VAPT helps discover vulnerabilities within the application and reduces the risk drastically. Indium also provides a wide range of security testing services apart from VAPT.

Quality Assessment

The Indium testing team developed an optimized strategy for automated assessment with open-source tools and manual methods in the perspective of hackers to penetrate through the e-reading software and identify the loopholes for security breaches.

Our test engineers performed the vulnerability assessments on both enterprise and customer versions of the software. We then performed a static and dynamic analysis to pierce through the application to identify the loops by which hackers crack the premium features.

Static Analysis

Our team then framed a customized static analysis to exploit the interesting files and performed the test cases with injection and reverse-engineering attacks. This includes license key forgery attacks, memory analysis, and binary analysis. Our software testers dug deeper into the static analysis of the application.

  • They cross-checked the windows search, load algorithms as they might help in tampering with the application codebase.
  • We also validated the hard-coded credentials/ data, keys, comments, and hidden functions.

Dynamic Analysis

Indium team does not want to leave our client down in any scenario and hence we do perform a dynamic round of testing in the apps.

  • Tested the man-in-middle attacks using enumeration techniques with manual methods.
  • We performed a thorough analysis of API calls to the application.(Both request & response).

Identification of threats

Our quality engineers performed manual enumeration to identify the security breaches, functionality defects, and they leveraged CLI tools. With these customized testing strategies, we notified two critical vulnerabilities under sensitive data exposure and insecure communication.

Our Fixes

Our team recommended appropriate fixes for every potential threat identified in the e-reading application to our client. Here are our recommendations!

  • API for secure HTTP methods and transport-level encryption for secure communication.
  • Appropriate configurations for server address and handling of API, app error responses by removing sensitive details from the software cache.

Business Impact

Our client was much happier as we created strong premium walls for their application by breaking down all the security breaches. We created an automated vulnerability assessment and penetration test suite for their application to get rid of unauthorized access to premium accounts.

  • Complete coverage of breach scenarios with QA approach underlines with OWASP top 10 & SANS 25/CWE security standards.
  • Our team extensively defined the processes that led to extensive test coverages, inclusive of QA techniques like false-positive and binary analysis.
  • We created vertical privilege escalation methods to restrict the recreation of malicious versions.
  • Generated the reports by identifying the critical vulnerabilities & discussed with the development and production teams the security risks in the application with recommendations of fixes. The teams fixed the defects and delivered the e-reading software with zero loopholes for breaches.
  • Our VPAT solutions completely destroyed the security breaches, and there were zero reviews on the app store regarding security breaches. After implementing the QA solutions, the client app generated stable revenue on all three-quarters.
  • Our quality engineers reproduced the breaches and defects to generate detailed reports & test documents. Our test reports inferred the defects in the aspects of affected URLs with screenshots & logs. Our SME teams added-on the fixes in the reports to ease the client’s upgrade on the e-reading software!

Author: Pradeep Parthiban
Pradeep is a Content Writer and Digital Marketing Specialist at Indium Software with a demonstrated history of working in the information technology and services industry.