Introduction
We express our gratitude to the CoinW team for the collaborative engagement that enabled the execution of this Pentest.
CoinW is a centralized cryptocurrency exchange established in 2017 and headquartered in Dubai, United Arab Emirates. It offers a comprehensive suite of trading services, including spot trading, futures trading with leverage up to 200x, and ETF trading. The platform supports over 500 cryptocurrencies, providing users with a wide array of trading pairs.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for CoinW |
| Audited By | Adedolapo Olayinka-Adeyemi |
| Approved By | Stephen Ajayi |
| Website | https://www.coinw.com/→ |
| Changelog | 25/03/2025 - Preliminary Report |
| Changelog | 09/04/2025 - Retest Report |
| Platform | Android |
| Language | Java, Kotlin |
| Tags | Pentest |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for CoinW
- Audited By
- Adedolapo Olayinka-Adeyemi
- Approved By
- Stephen Ajayi
- Website
- https://www.coinw.com/→
- Changelog
- 25/03/2025 - Preliminary Report
- Changelog
- 09/04/2025 - Retest Report
- Platform
- Android
- Language
- Java, Kotlin
- Tags
- Pentest
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Play Store | https://play.google.com/store/apps/details?id=com.coinw.win&hl=en→ |
| Version | 10.0.23 |
Review Scope
- Version
- 10.0.23
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
CoinW provides a mobile application compatible with both iOS and Android devices, enabling users to manage their portfolios and execute trades on the go. The Android application can be downloaded from the Google Play Store.
The CoinW Android app offers functionalities such as real-time market information, trading services, and access to various financial products. According to the Google Play Store's data safety section, the app may collect data types including device or other IDs, photos and videos, personal information (such as name, email address, user IDs, and phone number), financial information (user payment info), and audio (voice or sound recordings). The developer states that this data collection is aimed at enhancing app functionality, account management, and ensuring compliance with security measures. Notably, the app employs encryption in transit to protect user data and provides options for users to request data deletion.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-9301 | Hardcoded Credentials | fixed | High | |
| F-2025-9303 | Cleartext Traffic Allowed (No Network Security Configuration) | fixed | Low | |
| F-2025-9300 | Unprotected Android Component (Missing Permission) | fixed | Low | |
| F-2025-9302 | Insecure Random Number Generation | fixed | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| Play Store | https://play.google.com/store/apps/details?id=com.coinw.win&hl=en→ |
| Version | 10.0.23 |
Scope Details
- Version
- 10.0.23