Introduction
We express our gratitude to the Bitunix team for the collaborative engagement that enabled the execution of this Pentest.
Bitunix is a cryptocurrency exchange platform that enables users to buy, sell, and trade various digital assets. The platform supports features such as spot trading, futures, staking, user referral bonuses, and KYC identity verification.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Bitunix |
| Audited By | Stephen Ajayi |
| Approved By | Stephen Ajayi |
| Website | https://bitunix.com→ |
| Changelog | 08/05/2025 - Preliminary Report |
| Changelog | 03/06/2025 - Final Report |
| Platform | Android |
| Language | Java, Kotlin |
| Tags | Pentest |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Bitunix
- Audited By
- Stephen Ajayi
- Approved By
- Stephen Ajayi
- Website
- https://bitunix.com→
- Changelog
- 08/05/2025 - Preliminary Report
- Changelog
- 03/06/2025 - Final Report
- Platform
- Android
- Language
- Java, Kotlin
- Tags
- Pentest
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Android | https://download.bitunix.com/bitunix.apk→ |
| Version | 2025.0429.15398 |
Review Scope
- Version
- 2025.0429.15398
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
The Bitunix Android application is a mobile-first cryptocurrency trading platform designed to provide users with secure and efficient access to digital asset services. The application supports real-time trading, identity verification, asset management, and user engagement features within a modern mobile interface.
Key Features
User Authentication: Email and mobile-based registration and login mechanisms.
KYC Verification: Upload and submission of government-issued ID documents with approval tracking.
Trading Dashboard: Access to spot and futures trading pairs, order management, and live price tracking.
Wallet Management: Deposit, withdraw, and monitor digital asset balances.
Document Uploads: Multipart/form-data-based document handling through HTTP APIs.
User Campaigns and Promotions: Referral systems and bonus programs tied to account actions.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1017 | Improper Authorization on KYC Document Upload (Post-Verification Bypass) | fixed | High | |
| F-2025-1017 | Exposure of Personally Identifiable Information (PII) via ID Lookup | fixed | Medium | |
| F-2025-1017 | Insecure SSL Pinning Implementation | accepted | Medium | |
| F-2025-1018 | Insecure File Provider Paths Configuration | fixed | Low | |
| F-2025-1018 | Insecure or Missing Android Network Security Configuration | fixed | Low | |
| F-2025-1017 | Use of Outdated APK Signature Schemes (v1/v2 Only) | fixed | Low | |
| F-2025-1017 | Sensitive Data Exposure via Clipboard in Password Field | fixed | Low | |
| F-2025-1017 | Absence of Root Detection Mechanisms | accepted | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| Android | https://download.bitunix.com/bitunix.apk→ |
| Version | 2025.0429.15398 |
Scope Details
- Version
- 2025.0429.15398