CoinEx

We express our gratitude to the CoinEx team for the collaborative engagement that enabled the execution of this Pentest.

Audit Summaryb

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling and Attack Scenarios

As part of the security assessment for the iOS mobile application, this threat modeling report analyzes potential vulnerabilities specific to mobile app architecture, including insecure data storage, reverse engineering risks, and improper session management. The objective is to identify possible attack vectors, assess the associated risks, and recommend mitigations to enhance the application's security posture, safeguarding it against adversarial threats and ensuring the protection of sensitive user data and app functionality.

1\. Insecure Data Storage : Sensitive information (e.g., tokens, credentials) may be stored in insecure locations such as NSUserDefaults, exposing it to attackers with physical access or access via malware.

• Potential Impact: If compromised, attackers can retrieve sensitive user data, leading to privacy violations, account takeovers, or other unauthorized actions.

2.Jailbreak Detection Bypass: iOS apps often include jailbreak detection to prevent running on compromised devices, but poorly implemented detection can be easily bypassed.

• Potential Impact: Running the app on a jailbroken device can bypass security controls, allowing attackers to manipulate the app, access sensitive data, or disable key security features.

3.Insecure Code and Binary Protection: Lack of binary obfuscation or secure code signing makes it easier for attackers to decompile and understand the app's internal logic.

• Potential Impact: Attackers can modify the app’s behavior, such as bypassing payment systems, altering functionality, or exploiting vulnerabilities in the code.

4.Insufficient Cryptography: Weak or improperly implemented cryptographic algorithms (e.g., hardcoded keys, weak encryption) leave sensitive data vulnerable to decryption.

• Potential Impact: Attackers can decrypt sensitive data such as passwords or personal information, leading to data breaches or unauthorized access.

5.Insecure Application Logs: Logging sensitive information such as API responses or user data in the app’s logs can expose it to attackers with access to the device or the app’s logs.

• Potential Impact: Attackers can extract sensitive information from logs, leading to account compromise or privacy violations.

6.Improper Certificate Pinning: Failure to implement certificate pinning leaves the app vulnerable to MitM attacks, where an attacker can intercept and manipulate data between the app and its server.

• Potential Impact: Compromised communication allows attackers to steal sensitive information, manipulate transactions, or inject malicious data.

7.Insufficient TouchID/FaceID Protection: Inadequate implementation of biometric authentication can lead to unauthorized access if the biometric checks are bypassed or incorrectly verified.

• Potential Impact: Attackers could bypass biometric authentication, gaining unauthorized access to sensitive app functions or user accounts.

8.Insecure Use of WebViews: WebViews embedded in the app can expose the app to client-side attacks like cross-site scripting (XSS) or insecure browser-based interactions.

• Potential Impact: Attackers can execute malicious scripts or hijack sensitive user data through insecure WebView configurations.

9.Hardcoded Sensitive Data: Sensitive information, such as API keys, encryption keys, or tokens, may be hardcoded in the app's source code, which can be extracted through reverse engineering.

• Potential Impact: Attackers can extract hardcoded secrets from the app’s binary, gaining access to backend services, sensitive user data, or performing unauthorized operations.

10\. Insecure Debugging Information: Debugging features left enabled in production builds may expose detailed system information, such as file paths, database queries, or application logic, which attackers can exploit.

• Potential Impact: Attackers can exploit exposed debugging data to better understand the app’s architecture, identify weaknesses, and develop targeted attacks against the system.

11.Insecure Clipboard Handling: Sensitive data copied to the clipboard (e.g., passwords, tokens) can be accessed by other apps on the device, leading to data leakage.

• Potential Impact: Attackers or malicious apps on the device can access clipboard data and extract sensitive information like authentication tokens, compromising accounts and user privacy.

Executive Summary

SSL Pinning Bypass (Medium) The application is vulnerable to SSL pinning bypass, allowing attackers to intercept and manipulate encrypted traffic through a man-in-the-middle (MITM) attack. This exposes sensitive data to potential interception, increasing the risk of data breaches and unauthorized access.

Session Persistence After Enabling Google 2FA (Low) After enabling Google Two-Factor Authentication (2FA), existing sessions remain active without requiring re-authentication. This could allow attackers with access to a compromised session to bypass 2FA protection and maintain unauthorized access.

Lack of Anti-Hook and Anti-Debug Mechanism (Low) The application lacks effective anti-hooking and anti-debugging protections, making it susceptible to runtime manipulation and reverse engineering. Attackers could exploit this to modify app behavior or extract sensitive data.

Lack of Jailbreak Detection Mechanism (Low) The application does not implement jailbreak detection, allowing it to run on jailbroken devices. This increases the risk of attackers bypassing security controls and accessing sensitive data or modifying app behavior.

Third-Party Keyboards Are Allowed (Low) The application allows the use of third-party keyboards, which may introduce a risk of keylogging or data interception by malicious keyboard applications.

The CoinEx Android application offers a comprehensive platform for cryptocurrency trading, enabling users to manage their digital assets seamlessly on mobile devices.​

Key Features:

• Extensive Cryptocurrency Support: Users can trade a vast selection of cryptocurrencies, including popular options like BTC, ETH, DOGE, LTC, and XRP, directly through the mobile app. ​

• Diverse Trading Options: The app facilitates various trading methods, such as spot trading, margin trading, and futures trading, allowing users to tailor their strategies to market conditions. ​

• User-Friendly Interface: Designed for both novice and experienced traders, the app features an intuitive interface that simplifies navigation and enhances the trading experience.​

• Real-Time Market Data: Users have access to timely market feeds and in-depth market analysis, empowering them to make informed trading decisions. ​

• Security Measures: The application incorporates robust security protocols to protect user assets and personal information, aligning with CoinEx's commitment to a secure trading environment.​

• Futures Demo Trading: To assist users in mastering futures trading without financial risk, the app offers a demo trading feature that simulates real market conditions. ​

The scope of the project includes the following

Assets in Scope