Plynt Certification Criteria for Mobile Applications

The awarding of the Plynt Certificate establishes that a web application has adequate measures to guard against remote adversaries and protect against a wide range of threats.

This document defines the Plynt Certification Standard for Mobile Applications. It details the criteria that a Mobile application must meet in order to be awarded the Certificate.


(Plynt)… Provided cost effective security testing service and exceeded Medmarc’s technical expectations. Their professionalism is evidenced by their high quality work.

– Richard Wilkins, Medmarc Insurance

The Certification Standard Is Composed of 10 Criteria

Defends against Business Logic Threats

The application must demonstrate its defence against threats specified in a Threat Profile that has been developed specifically for the mobile application.

Defends against code tampering
No Sample or Test Applications

Self-signing the recompiled APP build can breach the trust of users, as it contains modified data. An attacker can upload the replica of the APP to the store with a relevant name, wherein the details of legitimate users get exposed.

Defends against the unauthorized usage of device resources
No sensitive data are sent to other websites-applications in an insecure manner

The application must ensure that untrusted input is validated before it is used by any device resource. The application must not abuse the device resources.

Operating Systems implement functionalities that use mobile OS-related features. The application must implement these features securely, without introducing vulnerabilities.

Protects against data leakage
Protects against data leakage

The application must demonstrate adequate measures to protect sensitive data from being accessed whenever the device is lost or stolen. The application must not store sensitive data in the local storage, APP installation and property files.

The application must not leak data through channels such as the application cache, logs, temporary directories, etc. wherein the data is usually retained indefinitely.

Protects against popular server-side attacks
Protects against popular server-side attacks

The application must demonstrate, through testing, that it is not vulnerable to popular server-side attacks.

Protects sensitive data in transmission
Protect Sensitive Data in Transmission

The application must take adequate measures to protect sensitive data from being stolen over the network. It must protect the data in transmission by implementing strong encryption.

Backend services and servers protected against known vulnerabilities

Mobile applications connect to backend services in order to send and receive data. These services must be protected against vulnerabilities that are directly exploitable throughout the application.

The backend server must be updated and protected against known vulnerabilities. The web service running on the server that houses the application must not be vulnerable to publicly known exploitable vulnerabilities.

No sensitive data in the APP build

The application must not retain hardcoded data like passwords and encryption keys.

Strong code obfuscation and cryptography techniques

The application’s source code must be protected against data leakage, while disassembling the application package.

Sensitive activities are re-authenticated

The application must re-authenticate the user before allowing the user to perform an operation involving sensitive data. Examples of operations involving sensitive data are Change Password, Payments and Transaction Approval.



Sample Penetration Test Report


Certification Criteria

Application We Tested Icon HP

Apps we’ve tested

Request a Proposal

Our quote contains the best price, the time estimate, and our
methodology; and we’ll mail you the quote in 24 hours

Start typing and press Enter to search