Introduction

Mobile application is often a gateway for customers to online business services. It can boost business services with better reach for their service offerings, and at the same time, provide customers with ease of access. Mobile applications have immensely contributed to mutual engagement and an exponential increase in the value of business services.

Risks are a part of any digital connection. It will never cease as the digital space keeps on evolving and people get webbed together. Here is where businesses need to secure their mobile application before offering the same to their customers commercially. It is not just the visual appeal and functionality of the mobile application, but critically the security of the mobile application, which will differentiate your business from the crowded marketplace.

What is a secure mobile web application? Mobile App Security is a line of defence protecting applications from any external threats, vulnerabilities, or malware. It should address all risks which may lead to loss of critical information or financial data associated with the application usage. In fact, information security is one of the critical functionalities while building applications.

Cert-In Security Audits

CERT-In security audits are an integral part of assuring your mobile application safety before hosting. CERT-In, the nodal agency, has a list of certified empanelled auditors who are recognized to conduct mobile application security audits as a part of ensuring privacy and protection. Any application that carries or processes sensitive information must undergo security audits. Moreover, it is a mandate for companies developing mobile applications for State / Central government departments and corporations to obtain CERT-In certification for every individual application before the launch.

Goals / Objectives

A CERT-In empanelled security auditor ensures the following goals while conducting CERT-In security audits.

  • Identification of potential risk and threat factors
  • Mitigation of risks and patching vulnerabilities
  • Adherence to specific security standards

Scope of work

Auditing mobile applications need expert cyber security resources. CERT-In security auditors conduct deep analysis on mobile application security using automated vulnerability scans and manual penetration testing. The audit also ensures that the patching is done efficiently against all the findings by conducting a re-test after the remediation efforts. A final “Safe to Host” report get provided by the empanelled auditor upon complete adherence to the specified actions. The scope elaboration is as follows;

  • Identifying mobile application vulnerabilities by conducting a security audit in line with industry standards and the OWASP model.
  • Providing remediation actions and recommendations for identified vulnerabilities on a priority basis.
  • Preparing audit level reports (iterative reports) and a final closure report, proving the non-existence of open vulnerabilities.
  • Preparing the summary of audit findings that includes the following;
  1. Tools used for testing
  2. Identified vulnerabilities
  3. Vulnerability details
  4. Risk rating of vulnerabilities
  5. Used test cases
  6. Illustrations and screenshots
  • Certifying the mobile application safety by providing a Safe to Host certificate.
  • Issuing security audit clearance certificate.
  • Performing any other additional activities related to security audits that might not come under the above scope.

Key Deliverables

All CERT-In empanelled security auditors provide the following deliverables while conducting security audits

Initial security audit report

The initial security audit report is a part of initial assessments and vulnerability testing. It entails the vulnerabilities present in your mobile application detected through automated scans and manual penetration tests. The report also proposes the remediation plans in addressing those identified vulnerabilities

Final audit report

A final audit report follows when effective patching of all detected vulnerabilities gets completed to the satisfaction of the security compliance. It is a validation that your mobile application is free from all vulnerabilities after the final assurance check from the senior consultants.

Safe to Host Certificate

When no open vulnerabilities exist, applications get a vulnerability closure status and a Safe to Host certificate. A Safe to Host certificate is the final deliverable for auditees going through the most valued CERT-In security audits

Concluding Insights


CERT-In, as we pointed earlier, is a nodal agency ensuring information technology security throughout the nation. The agency targets the smooth deployment of information security practices, strengthening the overall cyber security defence. As a part of the process, CERT-In empanelled auditors conduct security audits and protects the vision. We have so far seen the role, scope, and deliverables that CERT-In empanelled auditors furnish while conducting mobile application audits. It gleams a spectrum of benefits beyond security certification. It can also give your application a standout position in your domain by earning the required customer trust. Furthermore, a CERT-In security audit is a learning process through which your security division develops the needed insights into the security issues.