Bitunix

We express our gratitude to the Bitunix team for the collaborative engagement that enabled the execution of this Pentest.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling and Attack Scenarios

As part of the security assessment for the iOS mobile application, this threat modeling report analyzes potential vulnerabilities specific to mobile app architecture, including insecure data storage, reverse engineering risks, and improper session management. The objective is to identify possible attack vectors, assess the associated risks, and recommend mitigations to enhance the application's security posture, safeguarding it against adversarial threats and ensuring the protection of sensitive user data and app functionality.

1\. Insecure Data Storage : Sensitive information (e.g., tokens, credentials) may be stored in insecure locations such as NSUserDefaults, exposing it to attackers with physical access or access via malware.

• Potential Impact: If compromised, attackers can retrieve sensitive user data, leading to privacy violations, account takeovers, or other unauthorized actions.

2.Jailbreak Detection Bypass: iOS apps often include jailbreak detection to prevent running on compromised devices, but poorly implemented detection can be easily bypassed.

• Potential Impact: Running the app on a jailbroken device can bypass security controls, allowing attackers to manipulate the app, access sensitive data, or disable key security features.

3.Insecure Code and Binary Protection: Lack of binary obfuscation or secure code signing makes it easier for attackers to decompile and understand the app's internal logic.

• Potential Impact: Attackers can modify the app’s behavior, such as bypassing payment systems, altering functionality, or exploiting vulnerabilities in the code.

4.Insufficient Cryptography: Weak or improperly implemented cryptographic algorithms (e.g., hardcoded keys, weak encryption) leave sensitive data vulnerable to decryption.

• Potential Impact: Attackers can decrypt sensitive data such as passwords or personal information, leading to data breaches or unauthorized access.

5.Insecure Application Logs: Logging sensitive information such as API responses or user data in the app’s logs can expose it to attackers with access to the device or the app’s logs.

• Potential Impact: Attackers can extract sensitive information from logs, leading to account compromise or privacy violations.

6.Improper Certificate Pinning: Failure to implement certificate pinning leaves the app vulnerable to MitM attacks, where an attacker can intercept and manipulate data between the app and its server.

• Potential Impact: Compromised communication allows attackers to steal sensitive information, manipulate transactions, or inject malicious data.

7.Insufficient TouchID/FaceID Protection: Inadequate implementation of biometric authentication can lead to unauthorized access if the biometric checks are bypassed or incorrectly verified.

• Potential Impact: Attackers could bypass biometric authentication, gaining unauthorized access to sensitive app functions or user accounts.

8.Insecure Use of WebViews: WebViews embedded in the app can expose the app to client-side attacks like cross-site scripting (XSS) or insecure browser-based interactions.

• Potential Impact: Attackers can execute malicious scripts or hijack sensitive user data through insecure WebView configurations.

9.Hardcoded Sensitive Data: Sensitive information, such as API keys, encryption keys, or tokens, may be hardcoded in the app's source code, which can be extracted through reverse engineering.

• Potential Impact: Attackers can extract hardcoded secrets from the app’s binary, gaining access to backend services, sensitive user data, or performing unauthorized operations.

10\. Insecure Debugging Information: Debugging features left enabled in production builds may expose detailed system information, such as file paths, database queries, or application logic, which attackers can exploit.

• Potential Impact: Attackers can exploit exposed debugging data to better understand the app’s architecture, identify weaknesses, and develop targeted attacks against the system.

11.Insecure Clipboard Handling: Sensitive data copied to the clipboard (e.g., passwords, tokens) can be accessed by other apps on the device, leading to data leakage.

• Potential Impact: Attackers or malicious apps on the device can access clipboard data and extract sensitive information like authentication tokens, compromising accounts and user privacy.

Executive Summary

A security assessment was conducted on the iOS mobile application, revealing a total of 6 vulnerabilities. These findings impact areas such as data integrity, secure communication, runtime protections, and data privacy. The issues include 1 high, 1 medium, and 4 low severity vulnerabilities, each described in detail below:

F-2024-7608 – KYC Integrity Issue: Verified User Information Can Be Changed Without Re-verification

Description: The application allows previously verified user identity data (KYC details) to be altered without triggering a re-verification process. Impact: This could enable malicious users to hijack another user’s identity and take over verified accounts. It poses serious risks such as identity fraud, money laundering, and regulatory non-compliance.

F-2024-7599 – SSL Pinning Bypass

Description: The application’s SSL pinning mechanism can be bypassed, weakening the security of encrypted network communications. Impact: An attacker could perform a Man-in-the-Middle (MITM) attack to intercept sensitive information such as session tokens, credentials, or API calls.

F-2024-7598 – Lack of Jailbreak Detection Mechanism

Description: The app does not detect whether it is running on a jailbroken device. Impact: On jailbroken devices, attackers can manipulate app behavior, extract sensitive data, or analyze the app using debugging tools.

F-2024-7602 – Information Exposure via iOS Clipboard

Description: The application writes sensitive information to the system clipboard. Impact: Other apps running in the background may read this data, exposing potentially confidential user information such as addresses, account details, or private keys.

F-2024-7603 – Lack of Anti-Hook and Anti-Debug Mechanism

Description: The application lacks protections against hooking and debugging attempts. Impact: Tools like Frida can be used by attackers to intercept or manipulate app logic in real-time, which may lead to credential theft or business logic abuse.

F-2024-7609 – Sensitive Data Exposure in iOS Snapshots

Description: When the app is sent to the background, iOS may capture screenshots containing sensitive user data. Impact: This data can be seen in the multitasking view and may be exposed to anyone with physical access to the device.

Bitunix is a mobile iOS application that enables users to trade cryptocurrencies through spot and futures markets. The app provides access to various trading pairs, charting tools, and portfolio features, while also supporting account security through multi-factor authentication. It is designed for both beginner and experienced traders, offering real-time market data, trade execution, and user asset management functionalities in a mobile-friendly environment.

The scope of the project includes the following

Assets in Scope