CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
Telecom · Mobile Security
GCC · Enterprise · 2025

Account-takeover at scale found in a GCC telecom's pre-launch app — fixed before public release

Two weeks before public launch, a Gulf-based mobile carrier asked Macksofy to pentest their refreshed customer app. We surfaced an API-key-in-shared-prefs flaw chained with an insecure deeplink that allowed silent account takeover for any customer who clicked a single SMS link.

TelecomGCCUAEMobile PentestiOSAndroidDeeplinkAPI Key
Talk to a senior consultantSee the Mobile Security service
Engagement summary
Client
GCC Telecom Operator
Sector
Telecom
Region
GCC
Engagement
Mobile Security
Year
2025
Duration
10 working days
10d
Total engagement
5
Critical / high findings
0
Findings open at launch
4M
Subscribers protected
The challenge

What the client was up against.

Two-week launch window, four million subscribers

The operator was migrating four million subscribers from a legacy MyAccount portal to a refreshed iOS + Android app. A delayed launch meant per-day SLA penalties; a launched-then-broken app meant a regulator-grade incident.

Mobile + API + telecom-grade auth

Authentication blended SIM-based silent OTP with a customer-secret API key embedded in the app. The deeplink layer tied SMS campaigns straight into in-app actions — exactly the surface where a single misstep produces account-takeover.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · Static + binary analysis

  • Decompiled iOS and Android binaries; mapped sensitive method surface
  • Audited shared_prefs / NSUserDefaults / Keychain / Keystore usage
  • Listed every embedded secret, certificate and API token
Phase 02

02 · Runtime + traffic interception

  • Instrumented the app under Frida to bypass cert-pinning for testing
  • Captured the full API surface including silent-OTP and bill-pay flows
  • Replayed every transactional API across a parallel test subscriber
Phase 03

03 · Deeplink + intent abuse

  • Enumerated all registered URL schemes and intent filters
  • Crafted attacker-origin SMS payloads to test deeplink validation
  • Tested cross-app intent bridging on Android (implicit intents)
Phase 04

04 · Backend boundary tests

  • Confirmed cross-account access on every authenticated endpoint
  • Tested rate-limiting on bill-pay, recharge and add-on subscription
  • Reviewed SMS template injection inside the campaign engine
Phase 05

05 · Live retest before launch

  • Same-day patches retested under both Android and iOS
  • Final signoff document delivered 48 hours before the launch ceremony
Findings

What we surfaced — severity, title, real-world impact.

Critical

API key in Android shared_prefs (cleartext)

Any rooted device — or any Android backup — exposed the per-installation API key, which the API treated as proof of customer identity.

Critical

Insecure deeplink: addPaymentInstrument://?token=…

Tapping a crafted SMS link silently bound an attacker-controlled card to the victim's account, then authorised it through the SIM-based silent-OTP path. Account takeover required one tap.

High

Cert-pinning trivially bypassed

Pinning was implemented only for the login screen — every other API call accepted user-installed CAs, making MITM straightforward on hostile Wi-Fi.

High

Bill-pay endpoint missing per-customer rate-limit

10,000+ bill-pay attempts per minute were accepted, enabling brute-forcing of short numeric voucher codes.

Medium

Verbose logging to system log

Auth tokens and partial PAN values were written to logcat / unified log on production builds.

Outcome

What changed for the client.

Launched on time with zero critical findings open

All five critical and high-severity findings were patched and live-retested before the public-launch ceremony. The operator avoided what would have been a near-certain regulator-reported incident in week one.

Hardened deeplink + secret-storage design

Macksofy's report shipped with developer-ready remediation patterns — a deeplink-allowlist library and a Keychain/Keystore wrapper — that the platform team adopted across all five sub-brand apps.

Rolled into ongoing quarterly retainer

After launch, the operator engaged Macksofy for a quarterly mobile + API pentest cycle covering all five consumer apps and the operator's MNO partner integrations.

We had two weeks to launch and Macksofy showed us, on a recorded video, exactly how an SMS link could take over a customer in one tap. That changed the launch plan — and saved the launch.
VP Digital Channels · GCC Telecom Operator
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.