Fuzzing of mobile application in the banking domain. A case study

Mobile applications are today ubiquitous, and everybody uses them on a daily basis. This applies also to security-critical mobile applications such as online banking apps. In today's architectures, these mobile applications are usually fed from the same source as mobile applications on smart phones, i.e. web services. This makes security testing of web services inevitable. Furthermore, regulation increases and requires stronger security mechanisms as with the strong customer authentication from the Revised European Payment Services Directive (PSD2). Automated security testing is a way to cope with the increasing requirements on assuring the security of such web services and their implemented security controls whilst dealing with decreasing resources for such efforts. In this paper, we present our experiences from a case study provided by Kuveyt Türk Bank performed within the ITEA-3 project TESTOMAT where we introduced automated security testing in terms of fuzzing to complement manual security testing.