MDR-Aligned Security Testing for Patient-Centric Health Apps
About the Client
Coreway is a health-tech startup building a mobile app that helps patients with chronic inflammatory bowel diseases (IBD) — including Crohn’s disease and colitis — manage symptoms and improve quality of life.
The app predicts flare-ups and provides personalized nutrition guidance, empowering patients to take control of their care through data and behavioral insight.
With a product designed for daily use by vulnerable individuals, security and medical-grade compliance are critical.
Secure Foundations Confirmed — and Clearer Compliance Path
Results:
The assessment initially revealed three high-severity issues, all of which were promptly addressed by the Coreway team during the engagement. As a result, the final outcome confirmed the absence of any critical or high-level vulnerabilities — reinforcing the effectiveness of their secure-by-design engineering approach.
Security strengths included:
Robust authentication and authorization logic
No insecure data storage in mobile apps
No sensitive data exposure in logs or traffic
Secure API endpoints with appropriate access controls
Deliverables included:
Detailed threat model mapping attacker paths and risk areas
Complete test coverage checklist aligned with OWASP MSTG
Plain-language remediation guidance for developers and leadership
Proof-of-concept (PoC) demonstrations of high-severity findings with actionable fix instructions
Full final report structured to support MDR documentation and stakeholder confidence
The Challenge
Aligning Security with MDR and Scaling Patient Trust
As the team prepared for growth and an upcoming CE audit under EU MDR, they needed to verify that their iOS and Android apps — along with the supporting API infrastructure — met high standards for security and data protection. The product had not previously undergone a formal penetration test, and with sensitive health data in scope, internal diligence and automated scans were no longer enough.
They sought a rigorous, third-party assessment to support:
MDR compliance ahead of the scheduled CE audit
Stronger security posture across mobile and backend systems
Peace of mind for patients, partners, and investors
After comparing vendors, they chose Sekurno for our:
High ratings on independent platforms like Clutch
Alignment with their values and budget
Clear roadmap and health-tech-specific expertise
Our Solution
MDR-Aligned Penetration Testing Built for Mobile Health
Sekurno executed a white-box penetration test focused on Coreway’s mobile applications (iOS and Android) and supporting API infrastructure, aligning with EU MDR requirements and real-world threat scenarios.
The engagement followed the OWASP Mobile Application Security Testing Guide (MSTG) and included static and dynamic analysis, manual API testing, and a custom threat modeling to reflect attacker motivations specific to IBD patient workflows.
Scope of Work
Mobile app security testing (iOS and Android)
API penetration testing
Threat modeling based on real-world attacker scenarios
Remediation support through developer Q&A and fix validation
Follow-up testing to confirm issue resolution and mitigation effectiveness
Methodology Highlights
Authentication and session management testing
Local data storage and privacy analysis (e.g., logs, keychain, cache)
Transport layer and communication security checks (e.g., SSL pinning, MITM)
API interaction and authorization testing
Business logic abuse scenarios, tailored to patient features
Code review for hardcoded secrets, obfuscation, and reverse engineering vectors
Jailbreak/root detection evasion testing
What stood out about Sekurno was their ability to work independently and efficiently. They understood our product quickly with minimal input and gave us confidence from day one. Unlike other vendors, they didn’t need micromanaging — they just knew what mattered and delivered.
Rodrigo Azevedo - Software Engineer at Coreway
Conclusion
From Peace of Mind to Compliance Readiness
Coreway came to Sekurno with a clear objective: ensure security that supports both user trust and regulatory readiness. Through targeted testing and deep HealthTech domain knowledge, we helped them meet that goal — with faster timelines, fewer unknowns, and confidence to grow.