Tesco Banking
Tesco Banking was underway to make its Clubcard scheme more accessible to its customers and wanted to develop a Tesco Bank Credit Card with Clubcard integrated into their existing mobile banking application. The development team requested support from Complete Cyber to perform analysis of their mobile architecture solution to ensure compliance and to ensure best practices pertaining to mobile security were being implemented.
SCOPE
CHALLENGES
The development team had already designed and began building the mobile banking applications modifications and therefore, any proposed changes made by our team would introduce extended delays and therefore careful consideration was needed to minimize the impact on the team's go-live date for the integrated Clubcard/Credit Card.
OUTCOMES
We managed to identify a series of issues with the proposed architecture that could lead to potential malicious adversaries compromising the mobile app, should a particularl attack vectors be carried out. This resulted in our team working closely with the solution architects and developers to remediate our findings, such as leveraging native iOS and Kotlin libraries rather than using custom-built solutions for performing cryptographic and secrets management. We also reviewed the interaction between the mobile app and the backend infrastructure owned and managed by Tesco Banking and identified some issues around authentication of the app's microservices and addressed this by the introduction of introducing authentication methods for all calls made between the mobile app and backend IT Infrastructure.