Mobile application development is trending, and its technology is constantly evolving. Most modern solutions have a client-server architecture. The client runs a mobile operating system, most often Android or iOS. The client part is downloaded to the device from the so-called app store – a specialized site where developers place their systems. From the point of view of the average user, the program installed on the smartphone is the mobile application, because it is with it that he interacts directly: making purchases, paying bills, viewing mail. But in reality there is another component, which is commonly referred to as the server.

The server part is on the side of the developer. Often its role is performed by the same software that is responsible for generating and processing the content on the site. In other words, most often the server part is a web application, which communicates with the mobile client over the Internet through a special interface (API). The server can rightly be considered the main part: it processes and stores information, and is also responsible for synchronizing user data between devices.

Modern versions of mobile operating systems have various built-in security mechanisms. For example, all installed programs are allowed by default to work only with files in their own home directories and user rights do not allow editing any system files. Despite this, mistakes made by developers when designing and writing mobile app code lead to security holes and open the door for cybercriminals.

Mobile app security due diligence involves looking for vulnerabilities in both the client and server sides, as well as evaluating the security of the data channel between them. In this study, we look at all of these aspects. We will also talk about the threats that await users, including those stemming from the interaction between the client and server parts of mobile applications. The research methodology and a portrait of the participants can be found at the end of the report.