UNIQA: iOS App Security Assessment

Client:

Uniqa Insurance — a major international insurance company headquartered in Vienna

Industry:

Insurance

Focus:

Protection of personal and financial data in the mobile application

Main challenge:

Security testing of the iOS app to prevent data leaks and unauthorized access

Market:

Central and Eastern Europe

Services provided:

iOS app pentest, authentication, API & integration analysis

Key Takeaways

Improved GDPR compliance and data handling

Strengthened API security and authentication

Identified 19 vulnerabilities, including one critical issue

Conducted a Gray-box penetration test of the iOS app

Delivered a report with clear risk mitigation recommendations

vulnerabilities identified

GDPR

requirements addressed

100%

on-time delivery

Dec 20, 2024

14 min

UNIQA Insurance commissioned a security audit of its iOS app to prevent leaks of personal and financial data. During a Gray-box penetration test, the Datami team identified 19 vulnerabilities and provided recommendations that helped reduce risks and improve GDPR compliance.

Uniqa Insurance is an international insurance corporation headquartered in Vienna, operating across Central and Eastern Europe. The company actively leverages mobile apps, a website, a client portal, and online services that serve tens of thousands of clients daily.

For UNIQA, protecting against data leaks, unauthorized access, and mobile app breaches is absolutely critical.

Tasks and challenges

UNIQA Insurance operates in the high-risk financial sector, processing customers’ personal and financial data while complying with ISO 27001 and GDPR standards.

Due to the risk of data breaches and app hacks, the company initiated a scheduled security test of its iOS app, the key channel for customer interaction.

Conduct a penetration test of the iOS app, including API and backend components.
Analyze authentication, network traffic, and integrations with other services.
Identify all vulnerabilities and prepare a detailed report with recommendations.
Ensure compliance with GDPR and financial industry security standards.

Perform penetration testing

Test the iOS app for vulnerabilities

Assess cyber protection

Analyze risks of data leaks and account breaches

Prepare a comprehensive report

Describe issues and risks, provide recommendations

Datami’s methodology for UNIQA Insurance security testing

Our approach

Within the project, we performed a comprehensive security review of UNIQA’s iOS app, covering API requests, authentication, network traffic, and third-party integrations.

The main method was a penetration test using the Gray-box approach. We combined automated scanning (Burp Suite, OWASP Mobile Testing Guide) with manual testing and custom scripts to analyze critical areas.

This approach allowed us to identify 19 vulnerabilities, including one critical issue, and to deliver detailed technical recommendations for remediation.

Gray-box

The team had limited access to technical information. This enabled us to simulate real-world attack scenarios from the perspective of a partially informed attacker, achieving a balance between depth and realism.

Main project stages and decisions

During the project, the team discovered third-party integrations that were not initially reported by the client and promptly included them in the assessment. This allowed us to cover all critical system components.

The project was delivered in full and on time. Communication with the UNIQA team was transparent, with regular updates ensuring clarity and a quick response to any issues.

The workflow included several key stages:

Preparation

— planning, clarifying technical details, and analyzing the app’s architecture to identify risk areas.
iOS app penetration testing (gray-box)

— testing APIs, authentication, network traffic, and integrations using a mix of automated and manual methods.
Analysis and reporting

— compiling a detailed report on the work performed, along with recommendations to eliminate vulnerabilities and strengthen overall security.

Fewer critical risks — more confidence

Results and recommendations

At the start of the project, the security level of the UNIQA mobile app was assessed as moderately risky: one high-risk and several configuration issues posed potential threats to personal and financial data. During the penetration test, the Datami team identified 19 vulnerabilities, including one critical.

After implementing the recommendations, the system became significantly more resilient to attacks: the risk of unauthorized access was substantially reduced, the probability of data leakage was minimized, and compliance with GDPR and financial standards was improved.

The client received clear recommendations for further strengthening cybersecurity, including:

remediation of vulnerabilities;
a review of authentication processes;
verification of all third-party integrations.

UNIQA not only gained a better understanding of technical risks and actionable steps for remediation but also reduced potential financial and reputational losses. All project objectives were achieved.

Key project outcomes

Thanks to the collaboration with Datami, UNIQA Insurance received comprehensive security testing of its iOS application (19 vulnerabilities identified, including one critical) and clear recommendations for their elimination. The system became more resilient to attacks, and GDPR compliance was significantly improved.

This cybersecurity case study proves that even large-scale companies working with sensitive data require regular penetration testing — a cornerstone of digital security that helps avoid financial, legal, and reputational risks.

Stability and Security for Real-Time Trading

Hardened two web apps and APIs against exploits and DDoS
Maintained full service availability

Services:

Black-box web app pentesting, implementation of Dataguard

Jul 8, 2025

Security Audit of P2P Platform for GDPR Compliance

Prevented PII exposure and logic abuse in critical flows
Delivered fixes to align with GDPR and security best practices

Services:

Penetration testing, smart contract audit, code security review

Jun 27, 2025

Security Audit of Banking Web, Mobile & API Systems

Ensured PCI DSS and ISO 27001 readiness with full-scope testing
Prevented DoS attack and mitigated critical vulnerabilities

Services:

Black-box pentest of web resources and infrastructure

Jun 6, 2025

Back to all cases

Datami articles

Datami Newsroom

Ingram Micro confirms ransomware attack

California-based company Ingram Micro, headquartered in Irvine, California, has reported the discovery of ransomware in its internal systems. The attackers caused a disruption in order processing.

Jul 31, 2025 3 min

Automation vs. Pentesters: Can AI Replace Humans?

Datami Newsroom

Automation vs. Pentesters: Can AI Replace Humans?

Every year, companies are increasingly integrating automated tools into their cybersecurity processes. Automation is just one auxiliary tool that comes with both advantages and disadvantages that must be kept in mind.

Jul 25, 2025 3 min

Aviation and Cyber Threats: TOP Hacker Attacks on Airports and Aircraft

Datami Newsroom

Aviation and Cyber Threats: TOP Hacker Attacks on Airports and Aircraft

The aviation industry is one of the most technologically advanced sectors, significantly influenced by digitalization. At the same time, this increases its vulnerability to cyber threats, which can have catastrophic consequences.

Jul 23, 2025 3 min

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.