Extsy

We express our gratitude to the Extsy team for the collaborative engagement that enabled the execution of this Pentest.

Extsy is an innovative digital finance ecosystem focused on transforming how users manage, trade, and utilize digital assets. With a mission to redefine the boundaries of digital finance, Extsy offers a comprehensive suite of tools and services designed to empower users in the rapidly evolving world of decentralized finance (DeFi).

The system users should acknowledge all the risks summed up in the risks section of the report

Executive Summary

This threat model presents the findings from the security evaluation of the Extsy Android application. The assessment aimed to identify potential vulnerabilities and evaluate the effectiveness of security controls in defending against penetration testing techniques, including tampering, dynamic analysis, reverse engineering, and leakage of sensitive information.

Our evaluation revealed multiple critical vulnerabilities that could lead to severe security breaches if not properly addressed. The most significant risks include multiple PostgreSQL injection vulnerabilities, an unrestricted file upload flaw, and an SSRF vulnerability. Additionally, several medium and low-severity issues, such as OTP brute-force, user enumeration, and insecure file provider configuration, further weaken the application's security posture.

Scope of Testing

The security assessment focused on the following key areas:

• Resistance Against SQL Injection Attacks

• Network Communication and Server Security

• Dynamic Analysis and Debugging Protections

• Secure Data Storage and Handling

• Authentication and Authorization Mechanisms

Methodology

The security evaluation incorporated both static and dynamic analysis techniques:

Static Analysis: Analyzed the APK, including decompiled source code, manifest files, and third-party libraries, to identify potential vulnerabilities.

Dynamic Analysis: Monitored the application's behavior during runtime to evaluate its security defenses against tampering, debugging, and data leakage.

Key Findings

Injection Vulnerabilities

Our assessment uncovered multiple critical PostgreSQL injection vulnerabilities in key application endpoints, which allow attackers to manipulate database queries and potentially gain unauthorized access to sensitive data. The affected endpoints include:

• PostgreSQL Injection in /dashboard/getTransactions (Critical)

• PostgreSQL Injection in hidden parameter on /dashboard/getTransactions (Critical)

• PostgreSQL Injection in /wallet/getConnectedWalletByAddress (Critical)

• PostgreSQL Injection in /trade/getBalance (Critical)

• PostgreSQL Injection in /raffle/getLeaderBoard (Critical)

These vulnerabilities pose a significant risk as attackers can execute arbitrary SQL commands, exfiltrate sensitive data, or gain administrative control over the database. Implementing parameterized queries and proper input validation mechanisms is strongly recommended.

File Upload Vulnerability

• Unrestricted File Upload in /media-upload/upload (High)

The application allows unrestricted file uploads, which could be exploited by attackers to upload malicious scripts, potentially leading to remote code execution or unauthorized access to the server. Implementing strict file validation, MIME type checking, and sandboxing mechanisms can mitigate this risk.

Server-Side Request Forgery (SSRF)

• Blind SSRF in /auth/updateRaffleName (High)

This vulnerability allows attackers to make arbitrary requests, potentially accessing internal systems or performing unauthorized actions. Proper input sanitization, allowlisting, and restricting outbound connections should be enforced.

Brute-Force and Enumeration Attacks

• OTP Brute-Force in Password Reset Mechanism (Medium)

• User Enumeration in Password Reset Functionality (Low)

• User Enumeration in Signup Endpoint (Low)

The OTP brute-force vulnerability enables attackers to systematically guess OTP codes, potentially leading to account takeovers. Additionally, user enumeration vulnerabilities expose information about existing accounts, aiding targeted attacks. Implementing rate limiting, CAPTCHA enforcement, and generic error messages can reduce these risks.

Flutter Protection Bypass

• Flutter Protection Bypass (Medium)

The application's Flutter-based security mechanisms were found to be bypassable, allowing attackers to modify runtime behavior or disable security controls. Strengthening obfuscation techniques and implementing runtime integrity checks are necessary to mitigate this risk.

Insecure File Provider Configuration

• Insecure File Provider Configuration (Low)

Improperly configured file providers may expose sensitive files or allow unauthorized access to local storage. Ensuring that file permissions are correctly set and restricting access to necessary components will mitigate this risk.

Conclusion

The security assessment of the Extsy Android application revealed several critical security flaws, the most severe being multiple PostgreSQL injection vulnerabilities, an unrestricted file upload issue, and an SSRF vulnerability. These issues could lead to unauthorized access, data breaches, and even server compromise if exploited.

Furthermore, the application is vulnerable to brute-force attacks, user enumeration, and Flutter protection bypass. Strengthening authentication controls, enhancing input validation, and improving runtime security mechanisms are crucial steps to mitigate these risks and improve the overall security posture of the application.

Addressing these vulnerabilities through secure coding practices, rigorous testing, and regular security audits will significantly enhance the security of the Extsy Android application and protect its users from potential cyber threats.

The audited mobile application is a financial trading platform that provides users with functionalities such as account management, real-time market data, trade execution, and secure transactions. The app is developed for both Android platform, utilizing a client-server architecture for communication with backend services.

Assets in Scope