Background
Our client is a pioneering Edtech startup located in the United States. They operate two mobile applications, one for iOS and the other for Android platforms. The client approached our cybersecurity consulting team with a critical task: security assessment of their applications.
Ed-Tech Application Overview:
The educational mobile application developed by our client offers a range of basic functionalities aimed at enhancing the learning process. These functions include selecting a preferred language, accessing learning materials, and fostering communication among application users. To power these features, the application relies on Amazon Web Services (AWS), complemented by a complex API.
Security Assessment Findings:
Our team conducted an exhaustive security assessment of the client’s mobile learning applications and identified a spectrum of vulnerabilities. The assessment revealed a vulnerability within the application’s API infrastructure, which presented the highest risk of user data. The vulnerabilities enabled our consultants to gain unauthorized access to sensitive Personally Identifiable Information (PII), thereby compromising the security of every application user. This PII included hashed passwords, a crucial component of user security.
Furthermore, the assessment highlighted notable shortcomings in the security measures implemented within the application. The weakness in cryptographic measures on the password reset feature could potentially allow malicious actors to exploit this vulnerability and gain unauthorized access to any user account within the application by manipulating the password reset process.
In total, our security assessment identified more than 30 vulnerabilities within the in-scope assets, each assigned a Common Vulnerability Scoring System (CVSS) rating ranging from 6.8 to 9.8. These findings underscored the critical need for immediate remediation to fortify the application’s security posture and protect user data.
Our comprehensive assessment not only unveiled vulnerabilities but also provided actionable insights and recommendations for improving the security of the Edtech startup’s mobile learning applications. Our team stands ready to collaborate with the client to implement these recommendations and ensure the safeguarding of user data and the overall security of their educational platform.
