CUSTOMER SUCCESS STORY

How Mercari strengthened mobile security for millions of users with Oversecured

Case Study Summary

Company: Mercari - Japan’s largest marketplace app
Industry: E-commerce, FinTech, Mobile Marketplace
Challenge: Securing mobile applications handling cryptocurrency, credit cards, and customer funds while meeting Japan FSA compliance requirements
Solution: Oversecured mobile application security testing integrated into CI/CD pipeline
Results: Discovered critical WebView vulnerability which could result in data breach, financial and reputational losses and was missed by previous tools; achieved reliable automated scanning; reduced vulnerabilities over time; improved developer collaboration

Company overview: about Mercari

Mercari is Japan’s largest marketplace app, enabling millions of users to buy and sell items seamlessly. Beyond its core marketplace functionality, the Mercari Japan app allows customers to manage cryptocurrencies, virtual and real credit cards, and store the proceeds from sales directly within the platform.

This positions Mercari as essentially a financial services platform, subject to strict Japan Financial Services Agency (FSA) regulations, which mandate regular security assessments and vulnerability management for applications handling financial transactions. The company operates marketplace applications across Japan, globally, and in the United States.

The Challenge: protecting customer funds and data at scale and staying ahead of potential hacker attacks

With customers entrusting not just their personal information but actual money to the platform, mobile security at Mercari is critical. The Product Security team needed to ensure that malicious actors could not exploit vulnerabilities in the mobile applications or platform APIs to hijack customer accounts.

Compliance with Japan’s financial regulations added another layer of complexity, requiring robust security measures across both Android and iOS applications.

Previous mobile security approach and limitations

Before adopting Oversecured, Mercari’s mobile security program evolved through several phases. The team initially leveraged open-source tooling, which allowed them to quickly identify and resolve some critical issues.

Open-source mobile security tools, while useful for getting started, are fundamentally designed for individual researchers and small teams - not for enterprise security programs protecting millions of users. For a company like Mercari handling financial transactions at scale, these limitations became critical blockers.

The tools lacked enterprise-grade access controls, making it difficult to manage permissions across a growing security team. There was no centralized dashboard or reporting infrastructure to track vulnerabilities across multiple applications over time. Scalability was limited, and integrating these tools into CI/CD pipelines required significant custom development that the team had to maintain themselves.

Perhaps most importantly, the scanning depth was shallow as most open-source tools rely on simple pattern matching and regular expressions rather than sophisticated static analysis capable of tracing complex vulnerability chains across an application’s codebase.

After outgrowing open-source solutions, the team evaluated one or two commercial mobile security vendors. The results were mixed, with each vendor typically lasting about a year before the team moved on due to various shortcomings.

Key challenges with previous mobile application security testing solutions included:

• Shallow scanning depth: Many tools relied on simple pattern matching and regular expressions rather than deep static analysis capable of finding complex vulnerabilities
• High false positive rates: Findings required extensive manual triage to separate real vulnerabilities from noise
• Developer-unfriendly reports: Security findings were not developer-centric, making it difficult for mobile teams to understand the root cause or how to remediate issues
• Reliability issues: Scanning would sometimes break, requiring the security team to repeatedly engage development teams for fixes
• Limited iOS analysis: Tools could perform basic Android decompilation but offered extremely limited analysis of compiled iOS applications (IPA files)

The solution: why Mercari chose Oversecured for mobile application security

When evaluating Oversecured, Mercari’s Product Security team was immediately impressed by the technical depth of the team. Unlike other vendors who led with sales pitches, Oversecured demonstrated genuine technical expertise. During the proof-of-concept (POC) period, the Oversecured team actively helped review findings and ensured proper setup.

Critical vulnerability discovery during POC

The POC quickly proved its value. Oversecured identified a critical WebView vulnerability on Android that, in combination with an exposed deep link, allowed a JavaScript bridge to be exploited by third-party web applications.

This was particularly significant because the vulnerability correlated with a report from an external security researcher and had been missed by all previous tooling. This finding alone validated Oversecured’s superior scanning depth.

The potential impact of this vulnerability was severe. If exploited, a malicious third-party app or website could have executed arbitrary JavaScript within the context of Mercari’s application - potentially allowing attackers to hijack user sessions, access stored payment credentials, initiate unauthorized transactions, or steal cryptocurrency holdings. For a platform where users store real money, manage credit cards, and hold crypto assets, this type of vulnerability represents a direct path to financial theft at scale.

Key selection criteria for mobile security testing

For Mercari, the complexity and depth of the scanner was paramount. They needed a solution that could dive deep and discover sophisticated issues rather than functioning as a simple static analysis tool relying on pattern matching.

Oversecured’s ability to provide actionable recommendations and clearly explain the impact of vulnerabilities made it easier for developers to understand and fix issues quickly.

Implementation: seamless CI/CD integration for mobile AppSec

Mercari integrated Oversecured directly into their CI/CD pipeline for both Android and iOS applications. Working closely with the development teams, the Product Security team configured the pipeline to automatically submit builds (APK/IPA) to Oversecured’s API whenever applications are versioned and tagged for release.

Workflow: from security scan to vulnerability remediation

On a periodic basis, members of the Product Security team triage vulnerabilities within Oversecured’s reports. When a vulnerability is deemed relevant and actionable, the team loops in the appropriate mobile development team to begin planning remediation.

One of the most valuable outcomes has been the ability to demonstrate measurable security progress to executive leadership. Early scans surfaced accumulated vulnerabilities that had gone undetected for years, giving the security team a clear baseline.

Importantly, Oversecured’s reports provide clear analysis and remediation recommendations that developers can understand without extensive security expertise. This was a marked improvement over previous tools where findings were difficult to interpret and root causes were hard to pinpoint.

Results: reliable mobile AppSec at scale

Measurable security improvements

• Reliable, automated scanning: Unlike previous solutions that would break and require ongoing maintenance, Oversecured’s integration has remained stable and reliable - a true “set it up once and forget about it” experience.
• Decreasing vulnerability count: Fewer critical and high-severity vulnerabilities discovered over time, indicating genuine security improvement across the codebase.
• Deeper analysis capabilities: Superior scanning depth compared to previous tools, with the ability to find complex vulnerabilities like the critical WebView issue missed by other vendors.
• Better developer experience: Clear explanations of impact and remediation guidance help developers understand and fix issues quickly without extensive security expertise.

Improved security and development team collaboration

Integrating Oversecured into the CI/CD pipeline requires minimal effort. Furthermore, the security team now requires less developer support to maintain and optimize these configurations, increasing their operational independence. Initial scan results generated significant interest from development teams as they saw real, actionable security findings.

Over time, as vulnerabilities have decreased, the process has become routine, which the team views as a positive sign of a maturing security program.

The Product Security team has built a stronger relationship with mobile development teams. Developers appreciate that they don’t need to spend time triaging security issues themselves or building custom solutions to validate application security. The heavy lifting happens on the security side, and developers only get involved when there’s a genuine issue to address.

“Oversecured’s simplicity allowed us to rapidly integrate it into our mobile application CI/CD pipelines. The reliability of its findings significantly reduces our triage efforts, while its clear, actionable remediation guidance has accelerated our MTTR. We have seen a steady decline in critical vulnerabilities as our developers now apply these insights to write more secure code from the start.”

— Yannarak Wannasai, Security Engineering Leader at Mercari

Key Takeaways: Mercari’s mobile security transformation with Oversecured

1. Deep scanning finds what others miss: Oversecured discovered a critical WebView vulnerability during POC that had been missed by multiple previous mobile security testing tools, validating the value of advanced static analysis over simple pattern matching.
2. Reliability reduces operational burden: A stable, automated scanning solution that integrates seamlessly into the CI/CD pipelines minimizes the ongoing maintenance overhead that plagued Mercari’s previous security tools.
3. Developer-friendly reports accelerate remediation: Clear vulnerability explanations and remediation guidance enable developers to fix issues quickly without requiring deep security expertise.
4. Technical partnership matters: Working with a technically strong team - not just a sales organization - made implementation smoother and ensured proper configuration from day one.
5. Measurable improvement over time: Declining vulnerability counts with each scan demonstrate genuine security improvement, not just detection of the same issues repeatedly.

Ready to strengthen your mobile security? Start your free trial of Oversecured today