Devlight Brings Enterprise-Grade Security Assurance to Mobile Applications with Velstadt
Velstadt supported Devlight in validating mobile application security for enterprise clients through tailored penetration testing, clear reporting, and practical remediation guidance.
- IT Services
- Mobile App Development
Executive Summary
Devlight is an IT company specializing in mobile app development, helping businesses become the number one brand on users’ smartphones. For over 10 years, Devlight has worked with businesses from the “Top 100 Forbes Ukraine” list, supporting companies across different sectors in building mobile products, improving customer experience, and moving toward a mobile-first business model.
With 120 projects created and 40M+ app downloads, Devlight builds mobile experiences for brands where reliability, usability, and trust are part of the product itself. When mobile applications become a primary channel between a business and its customers, security can no longer be treated as a final technical checkbox.
For enterprise mobile products, automated scanning can identify many common issues, but it rarely provides the full picture. Authentication and authorization flaws, insecure session management, sensitive data leakage, insecure local storage, weak cryptographic implementation, insecure network communication, and insufficient resilience against reverse engineering or tampering often require manual validation and a deep understanding of how the application is intended to work.
Velstadt supported Devlight as a mobile application security partner, bringing a tailored penetration testing approach that combined automated analysis, manual testing, reverse engineering, business logic validation, and practical remediation guidance.
The assessment was aligned with OWASP MASVS and OWASP MASTG, covering both technical vulnerabilities and business-relevant risks. Velstadt assessed mobile applications through static and dynamic analysis, secure data storage testing, secure communication testing, authentication and authorization testing, API interaction testing, reverse engineering, and mobile-specific attack scenarios.
The final deliverables went beyond a list of findings. Devlight received a detailed technical report with step-by-step reproduction guidance, severity explanation, business impact, remediation and mitigation recommendations, as well as an executive-level summary for C-level stakeholders.
This gave Devlight and its clients a clearer understanding of mobile application risks, helped prioritize remediation, reduced the likelihood of security issues reaching production, and strengthened confidence in the security of enterprise mobile products.
Key Results
OWASP MASVS / MASTG
Aligned with OWASP mobile security standards and guidance
Manual + Automated
Automated analysis combined with manual validation of real application behavior
Static + Dynamic
Application assessed through static analysis and runtime testing
Business Logic
Critical user flows tested against real-world abuse scenarios
2 Reports
Technical report for engineers and executive summary for management
STR
Findings documented with evidence, impact, and remediation guidance
The Challenge
The goal was to validate enterprise mobile applications against real-world security risks and provide both technical teams and management with clear, actionable findings.
Key challenges
- Validate security beyond automated scanning
- Identify authentication, authorization, session, and API weaknesses
- Assess secure communication and certificate handling
- Evaluate resilience against reverse engineering and tampering
- Test business logic scenarios missed by automated tools
- Provide clear steps to reproduce and remediation guidance
- Explain business impact for C-level stakeholders
Velstadt Approach
We applied a structured mobile penetration testing process aligned with OWASP MASVS, OWASP MASTG, and recognized penetration testing lifecycle practices.
Planning & Preparation
Defined the testing scope, target mobile platforms such as iOS and Android, rules of engagement, escalation contacts, test accounts, application builds, and access requirements for the test environment.
Reconnaissance
Reviewed available application context, including app store presence, metadata, documentation, exposed endpoints, technology stack, third-party SDKs, libraries, and external integrations.
Static Analysis
Analyzed the mobile application package without executing it to identify insecure configurations, hardcoded secrets, weak cryptographic implementation, excessive permissions, insecure storage patterns, and gaps in binary protections.
Dynamic Analysis
Tested the application during runtime to validate network communication, TLS usage, certificate handling, authentication and authorization flows, session behavior, local data storage, and error handling.
Manual Testing
Performed manual validation of business logic, API interactions, client-side protections, root and jailbreak detection, abuse scenarios, and mobile-specific attack paths that automated tools may miss.
Vulnerability Triage & PoC
Filtered false positives, prioritized findings based on technical severity and business context, and prepared controlled proof-of-concept evidence for key vulnerabilities.
Reporting & Remediation Support
Delivered a technical report with evidence, steps to reproduce, business impact, and remediation or mitigation guidance, along with an executive-level summary for management.
“Working with enterprise clients means that every mobile product must meet a higher standard. For us, security is not just a technical requirement, but part of the trust we build between brands and their users.”
Business Impact
- Enterprise trust: Shows that mobile products for leading brands are tested against real security risks.
- Data protection and compliance: Helps protect sensitive user data, reduce regulatory exposure, and support enterprise security requirements.
Do your mobile apps meet the level of trust your clients expect?
Velstadt helps teams uncover real mobile application risks, validate critical user flows, and turn security findings into clear remediation actions.
Cases & Succes Stories
More client success stories
See how other organizations strengthen detection and response with Velstadt.