Case Study UNIQA Insurance: Cybersecurity Testing of the Insurance Company’s iOS App

Client:

Uniqa Insurance — a major international insurance company headquartered in Vienna

Industry:

Healthcare

Focus:

Protection of personal and financial data in the mobile application

Main challenge:

Security testing of the iOS app to prevent data leaks and unauthorized access

Market:

Central and Eastern Europe

Services provided:

Mobile app (iOS) penetration testing, authentication analysis, API review, network traffic inspection, and integration testing.

Key Takeaways

Conducted a Gray-box penetration test of the iOS app

Audited critical components: API, authentication, and integrations

Identified 19 vulnerabilities, including one critical issue

Delivered a report with clear risk mitigation recommendations

Improved security level and GDPR compliance

vulnerabilities identified

GDPR

requirements addressed

100%

on-time delivery

Case Study UNIQA Insurance: Cybersecurity Testing of the Insurance Company’s iOS App

May 10, 2025

14 min

UNIQA Insurance commissioned a security audit of its iOS app to prevent leaks of personal and financial data. During a Gray-box penetration test, the Datami team identified 19 vulnerabilities and provided recommendations that helped reduce risks and impro

Uniqa Insurance is an international insurance corporation headquartered in Vienna, operating across Central and Eastern Europe. The company actively leverages mobile apps, a website, a client portal, and online services that serve tens of thousands of clients daily.

For UNIQA, protecting against data leaks, unauthorized access, and mobile app breaches is absolutely critical.

Tasks and challenges

UNIQA Insurance operates in the high-risk financial sector, processing customers’ personal and financial data while complying with ISO 27001 and GDPR standards.

Due to the risk of data breaches and app hacks, the company initiated a scheduled security test of its iOS app, the key channel for customer interaction.

Conduct a penetration test of the iOS app, including API and backend components.
Analyze authentication, network traffic, and integrations with other services.
Identify all vulnerabilities and prepare a detailed report with recommendations.
Ensure compliance with GDPR and financial industry security standards.

Perform penetration testing

Test the iOS app for vulnerabilities

Assess cyber protection

Analyze risks of data leaks and account breaches

Prepare a comprehensive report

Describe issues and risks, provide recommendations

Datami’s methodology for UNIQA Insurance security testing

Our approach

Within the project, we performed a comprehensive security review of UNIQA’s iOS app, covering API requests, authentication, network traffic, and third-party integrations.

The main method was a penetration test using the Gray-box approach. We combined automated scanning (Burp Suite, OWASP Mobile Testing Guide) with manual testing and custom scripts to analyze critical areas.

This approach allowed us to identify 19 vulnerabilities, including one critical issue, and to deliver detailed technical recommendations for remediation.

Gray-box

The team had limited access to technical information. This enabled us to simulate real-world attack scenarios from the perspective of a partially informed attacker, achieving a balance between depth and realism.

Main project stages and decisions

During the project, the team discovered third-party integrations that were not initially reported by the client and promptly included them in the assessment. This allowed us to cover all critical system components.

The project was delivered in full and on time. Communication with the UNIQA team was transparent, with regular updates ensuring clarity and a quick response to any issues.

The workflow included several key stages:

Preparation

— planning, clarifying technical details, and analyzing the app’s architecture to identify risk areas.
iOS app penetration testing (gray-box)

— testing APIs, authentication, network traffic, and integrations using a mix of automated and manual methods.
Analysis and reporting

— compiling a detailed report on the work performed, along with recommendations to eliminate vulnerabilities and strengthen overall security.

Fewer critical risks — more confidence

Results and recommendations

At the start of the project, the security level of the UNIQA mobile app was assessed as moderately risky: one high-risk and several configuration issues posed potential threats to personal and financial data. During the penetration test, the Datami team identified 19 vulnerabilities, including one critical.

After implementing the recommendations, the system became significantly more resilient to attacks: the risk of unauthorized access was substantially reduced, the probability of data leakage was minimized, and compliance with GDPR and financial standards was improved.

The client received clear recommendations for further strengthening cybersecurity, including:

remediation of vulnerabilities;
a review of authentication processes;
verification of all third-party integrations.

UNIQA not only gained a better understanding of technical risks and actionable steps for remediation but also reduced potential financial and reputational losses. All project objectives were achieved.

Key project outcomes

Thanks to the collaboration with Datami, UNIQA Insurance received comprehensive security testing of its iOS application (19 vulnerabilities identified, including one critical) and clear recommendations for their elimination. The system became more resilient to attacks, and GDPR compliance was significantly improved.

This cybersecurity case study proves that even large-scale companies working with sensitive data require regular penetration testing — a cornerstone of digital security that helps avoid financial, legal, and reputational risks.

Case Study: Comprehensive Security Assessment for a Large Financial Institution

Pentest and Code Review were conducted for digital services including web portals, mobile applications, APIs, POS terminals, and the internal network.
106 vulnerabilities were identified, including a potential DoS attack targeting the call center, which was successfully blocked before execution.

Services provided:

Security Code Review, Penetration Testing (Black-box and Gray-box) of web portals, mobile applications, APIs, POS terminals, and parts of the internal network;

May 10, 2025

Case Study HUSPI: Security Assessment of Frontend and Backend Servers in Docker Containers

Conducted a white-box penetration test of servers and Docker containers
Reduced the risk of data leaks through inter-container interaction by 80–90%

Services provided:

Comprehensive white-box penetration testing of two servers (frontend and backend) in Docker, including a full assessment of containerized environments and network interactions.

May 10, 2025

Case Study UNIQA Insurance: Cybersecurity Testing of the Insurance Company’s iOS App

Conducted a Gray-box penetration test of the iOS app
Audited critical components: API, authentication, and integrations

Services provided:

Mobile app (iOS) penetration testing, authentication analysis, API review, network traffic inspection, and integration testing.

May 10, 2025

Back to all cases

Datami articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Oleksandr Filipov: Security engineer at Datami, author of articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Learn what an Internal Network Penetration Test is and how to prepare for it. Discover the meaning, stages, and challenges of conducting an Internal Network Pen Testing.

May 8, 2025

Network Penetration Testing: What Is It?

Oleksandr Filipov: Security engineer at Datami, author of articles

Network Penetration Testing: What Is It?

What is network penetration testing? Learn more about the approaches and types of network pentests, the key stages, and the outcomes of a network penetration test.

May 1, 2025

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Oleksandr Filipov: Security engineer at Datami, author of articles

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Cybersecurity in healthcare is at risk: hospitals face more cyberattacks than banks. Learn how to protect medical data with expert tips from Datami.

Apr 24, 2025

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.