SASHA Case Study - TechMagic

About the Project

SASHA – Safe Share committed to creating a safer digital space by tackling the issue of non-consensual image sharing. Their flagship product uses AI to embed invisible digital signatures into user photos, encoding consent and usage preferences directly within image pixels. These embedded intents are stored anonymously and can be referenced by major platforms to help enforce content-sharing boundaries. The company also aims to assist users in the legal process of removing misused images from public platforms.

Project Challenges

The company approached TechMagic for a penetration test to validate the security of their application ahead of a major launch. Their goal was to identify and mitigate any vulnerabilities in both the mobile app and backend API before entering production, ensuring the product meets partner expectations and delivers a safe user experience from day one.

Challenging Testing Scope for a Unique Setup

The app leverages uncommon security tools for runtime protection and gRPC for backend communication, making the traditional pentesting approach less straightforward.

Time-Sensitive Launch

The client needed a flexible testing partner that could align with evolving release timelines and delivery constraints. 

Strict Security Requirements

Although not explicitly for compliance certification, the client wanted thorough backend and API testing to ensure robustness in real-world scenarios.

Need for Interactive Testing

The client sought a tailored pentesting approach, starting with an extended black box test that could evolve depending on early findings – highlighting their desire for a more adaptive, collaborative testing model.

Objectives

Establish evidence-based launch readiness

Define and meet a clear security baseline for the mobile applications and service APIs, grounded in OWASP MASVS, OWASP ASVS, and the OWASP API Security Top 10.

Reduce the likelihood and impact of user harm and data exposure

Identify exploitable weaknesses in authentication, authorization, session management, and data handling.

Validate protective behavior under realistic attack conditions

Test the platform’s response to traffic interception attempts, request replay, client-state manipulation, and atypical sequencing.

Services Delivered

Scoping, discovery, and risk framing

We ran a structured kickoff to confirm business goals, legal boundaries, environments, and timelines. We translated these inputs into a threat-led scope that mirrors the way real attackers operate.

Get a quote

Extended black-box to targeted gray-box mobile testing

Using pre-release Android and iOS builds in a controlled setup, we combined static review with dynamic analysis. We evaluated session lifecycle, secure storage choices, deep links and inter-app communication, certificate handling, permission usage, and UX flows that drive security-critical decisions. All test data, accounts, and artifacts were isolated from production and disposed of securely after validation.

Get a quote

Backend and API penetration testing

We enumerated the service surface and mapped authentication and authorization workflows. We verified authorization edge cases, object-level access control, input validation, rate limiting, concurrency handling, and error paths. We also stress-tested file and media processing for parsing weaknesses and unintended exposure, confirming sensitive operations were consistently protected across versions and environments.

Get a quote

Business logic and abuse-case testing

We designed scenarios that mirror realistic adversarial behavior, including client-state manipulation, request replay, and workflow probing. Each observed weakness was reframed into a narrative that quantifies risk in terms of user harm, support burden, and partner trust.

Get a quote

Cryptography and secrets handling review

We assessed how keys, tokens, and credentials are generated, scoped, rotated, and stored. We verified transport security parameters and practical at-rest protections.

Get a quote

Privacy, logging, and data minimization

We examined telemetry and diagnostic logging to ensure detection and troubleshooting do not reintroduce sensitive content. We provided guidance on redaction and retention that preserves anonymity and consent integrity. Recommendations aligned with privacy-by-design principles.

Get a quote

Reporting

We delivered an executive summary and a detailed technical report with reproducible steps, proof-of-impact evidence, and prioritized remediation recommendations. Throughout the engagement, we collaborated in a shared channel for rapid clarification.

Get a quote

Our team

Ihor Sasovets

Lead Security Engineer

Ihor is a certified security specialist with experience in penetration testing, security testing automation, cloud and mobile security. OWASP API Security Top 10 (2019) contributor. OWASP member since 2018.

Victoria Shutenko

Security Engineer

Victoria is a certified security specialist with a background in penetration testing, security testing automation, AWS cloud. Eager for enhancing software security posture and AWS solutions

Denys Spys

Associate Security Engineer

Denys is a certified security specialist with web and network penetration testing expertise. He demonstrates adeptness in Open Source Intelligence (OSINT) and executing social engineering campaigns. His wide-ranging skills position him as a well-rounded expert in the cybersecurity industry.

Roman Kolodiy

Director of Cloud & Cybersecurity

Roman is an AWS Expert at TechMagic. Helps teams to improve system reliability, optimise testing efforts, speed up release cycles & build confidence in product quality.

Common tools we use

Our security testing arsenal is stacked with cutting-edge tools implementing in different areas like AI in cybersecurity that enable us to identify vulnerabilities in third-party dependies with static analysis tool such as Semgrep, enforce code standards, and fortify your defenses.

OWASP ZAP

Burp Suite

Arachni

SonarQube

Semgrep

Snyk.io

Maltego

SpiderFoot

Nmap

Wappalyzer

Kali Linux

Parrot Security

Project Outcome

Launch decisions made on evidence, not assumptions

The engagement produced a clear, risk-ranked view of the security posture across mobile apps and APIs.

A harder API and processing surface

By mapping endpoints and exercising both common and atypical request patterns, engineers refined rate-limiting thresholds, improved replay and concurrency handling, and sanitized error responses.

A repeatable blueprint for ongoing assurance

SASHA left with a pragmatic testing cadence, a short list of preventative engineering improvements, and a risk-based roadmap for future assessments. Improvements made for launch now reinforce a sustainable security practice, not a one-off effort.

Get a quote

What Client Says about Our Work

Michael Nexø

CTO at SASHA

The process was close to faultless. I liked the approach of having a shared Slack channel and the team was responsive. I feel that team nailed that very well. We felt that a lot of the vendors were giving us more of an automated reply with reused templates. TechMagic spent time on understanding our needs and negotiating the right structure for us, I think that was a very good thing. Maybe not having security as your only focus made you more attentive to client communication.

Why Choose TechMagic For Penetration Testing

Certified security specialists

With certifications PenTest+, CEH, eJPT and eWPT, our team possesses deep expertise and technical skills to identify vulnerabilities and simulate real-world attack. We provide cloud penetration testing, wireless penetration testing, social engineering testing, mobile and web application penetration testing, API penetration testing, external and internal network pen testing.

001

/003