2026 security assessment of our Android app

Our Android app has for the second time passed MASA, a standardized security assessment, conducted by Leviathan Security Group.

Following last year’s assessment we’ve recently conducted the Mobile Application Security Assessment (MASA) to further ensure our compliance with modern secure mobile app development. It checked version 2026.2 of our app against the Mobile App Profile (MAP) specification and identified a few minor issues. These issues were addressed in version 2026.3-beta3 (later released as 2026.3), which resulted in a pass for our app.

Overview of findings

The initial testing round identified six issues, of which one false-positive and one not applicable. Here’s an overview of the addressed issues that were also re-tested against version 2026.3-beta3.

1.5.1.4 All Pending Intents shall be immutable or otherwise justified for mutability

A few PendingIntents were incorrectly marked as mutable, however we do not believe it posed much risk to our users since the app has very limited intent capabilities.

Conclusion: We agree with the finding and the intents have been changed to immutable.

1.5.3.1 The app shall by default mask data in the User Interface when it is known to be sensitive

On the login screen the account number input was not hidden, and instead was shown in plain text. When adding or editing a custom API access method the password was also shown in plain text. 

Conclusion: We agree that those inputs should be masked to protect against shoulder surfing attacks so we’ve updated the UI to hide the sensitive input by default.

1.8.2.1 The app shall be transparent about data collection and usage

After adding support for in-app purchases via Google Play, our data collection policy on Google Play was inadvertently overlooked. To enable refunds we store a link between a purchase and an account for 20 days, as described in our privacy policy, this applies to Play Store purchases as well.

Conclusion: Our Google Play listing has been updated with Purchase history in the Data collection section to be as transparent as possible.

1.8.3.1 Users shall have the ability to request their data to be deleted via an in-app mechanism

Our app did not provide an in-app mechanism to delete accounts. This was by design due to the way our app and service works. We don’t believe it adds much value but rather opens up for abuse or mistakes. Instead we have mechanisms to continuously delete the little data we have, e.g. the link between accounts and payments that’s needed to enable refunds. More about this in our privacy policy.

Conclusion: We’ve implemented in-app account deletion to meet the MAP specification.

Read the report

You can check out the official App Defense Alliance Directory entry here and see that the app is independently reviewed in the Google Play Store. Unfortunately Google has not published the certificate yet, but once available it will be directly accessible using this link. You can also check out a more technical summary as well as test reports and the compliance report in our GitHub repository.

Last words

We would like to thank Leviathan for the thorough assessment. The communication was professional, and the assessment was carried out to a high standard and provided us with valuable insights.