Back
May 29, 2026 6 min read

Devlight Brings Enterprise-Grade Security Assurance to Mobile Applications with Velstadt

Velstadt supported Devlight in validating mobile application security for enterprise clients through tailored penetration testing, clear reporting, and practical remediation guidance.

Devlight Brings Enterprise-Grade Security Assurance to Mobile Applications with Velstadt

Executive Summary

Devlight is an IT company specializing in mobile app development, helping businesses become the number one brand on users’ smartphones. For over 10 years, Devlight has worked with businesses from the “Top 100 Forbes Ukraine” list, supporting companies across different sectors in building mobile products, improving customer experience, and moving toward a mobile-first business model.

With 120 projects created and 40M+ app downloads, Devlight builds mobile experiences for brands where reliability, usability, and trust are part of the product itself. When mobile applications become a primary channel between a business and its customers, security can no longer be treated as a final technical checkbox.

For enterprise mobile products, automated scanning can identify many common issues, but it rarely provides the full picture. Authentication and authorization flaws, insecure session management, sensitive data leakage, insecure local storage, weak cryptographic implementation, insecure network communication, and insufficient resilience against reverse engineering or tampering often require manual validation and a deep understanding of how the application is intended to work.

Velstadt supported Devlight as a mobile application security partner, bringing a tailored penetration testing approach that combined automated analysis, manual testing, reverse engineering, business logic validation, and practical remediation guidance.

The assessment was aligned with OWASP MASVS and OWASP MASTG, covering both technical vulnerabilities and business-relevant risks. Velstadt assessed mobile applications through static and dynamic analysis, secure data storage testing, secure communication testing, authentication and authorization testing, API interaction testing, reverse engineering, and mobile-specific attack scenarios.

The final deliverables went beyond a list of findings. Devlight received a detailed technical report with step-by-step reproduction guidance, severity explanation, business impact, remediation and mitigation recommendations, as well as an executive-level summary for C-level stakeholders.

This gave Devlight and its clients a clearer understanding of mobile application risks, helped prioritize remediation, reduced the likelihood of security issues reaching production, and strengthened confidence in the security of enterprise mobile products.

Key Results

OWASP MASVS / MASTG

Aligned with OWASP mobile security standards and guidance

Manual + Automated

Automated analysis combined with manual validation of real application behavior

Static + Dynamic

Application assessed through static analysis and runtime testing

Business Logic

Critical user flows tested against real-world abuse scenarios

2 Reports

Technical report for engineers and executive summary for management

STR

Findings documented with evidence, impact, and remediation guidance

The Challenge

The goal was to validate enterprise mobile applications against real-world security risks and provide both technical teams and management with clear, actionable findings.

Key challenges

  • Validate security beyond automated scanning
  • Identify authentication, authorization, session, and API weaknesses
  • Assess secure communication and certificate handling
  • Evaluate resilience against reverse engineering and tampering
  • Test business logic scenarios missed by automated tools
  • Provide clear steps to reproduce and remediation guidance
  • Explain business impact for C-level stakeholders

Velstadt Approach

We applied a structured mobile penetration testing process aligned with OWASP MASVS, OWASP MASTG, and recognized penetration testing lifecycle practices.

Planning & Preparation

Defined the testing scope, target mobile platforms such as iOS and Android, rules of engagement, escalation contacts, test accounts, application builds, and access requirements for the test environment.

Reconnaissance

Reviewed available application context, including app store presence, metadata, documentation, exposed endpoints, technology stack, third-party SDKs, libraries, and external integrations.

Static Analysis

Analyzed the mobile application package without executing it to identify insecure configurations, hardcoded secrets, weak cryptographic implementation, excessive permissions, insecure storage patterns, and gaps in binary protections.

Dynamic Analysis

Tested the application during runtime to validate network communication, TLS usage, certificate handling, authentication and authorization flows, session behavior, local data storage, and error handling.

Manual Testing

Performed manual validation of business logic, API interactions, client-side protections, root and jailbreak detection, abuse scenarios, and mobile-specific attack paths that automated tools may miss.

Vulnerability Triage & PoC

Filtered false positives, prioritized findings based on technical severity and business context, and prepared controlled proof-of-concept evidence for key vulnerabilities.

Reporting & Remediation Support

Delivered a technical report with evidence, steps to reproduce, business impact, and remediation or mitigation guidance, along with an executive-level summary for management.

Services Used

Mobile Penetration Testing Application Security

“Working with enterprise clients means that every mobile product must meet a higher standard. For us, security is not just a technical requirement, but part of the trust we build between brands and their users.”

Business Impact

  • Enterprise trust: Shows that mobile products for leading brands are tested against real security risks.
  • Data protection and compliance: Helps protect sensitive user data, reduce regulatory exposure, and support enterprise security requirements.

Do your mobile apps meet the level of trust your clients expect?

Velstadt helps teams uncover real mobile application risks, validate critical user flows, and turn security findings into clear remediation actions.

Cases & Succes Stories

More client success stories

See how other organizations strengthen detection and response with Velstadt.