KCEX

We express our gratitude to the KCEX team for the collaborative engagement that enabled the execution of this Pentest.

KCEX is a centralized cryptocurrency exchange established in 2021 and registered in Mahe, Seychelles.  The platform offers secure and convenient trading services for digital assets, including Bitcoin and Ethereum, supporting both spot and futures trading with low fees suitable for beginners and professional traders.

The system users should acknowledge all the risks summed up in the risks section of the report

Executive Summary

The security evaluation of the KCEX Android application focused on identifying potential weaknesses that could expose users and data to malicious attacks. The testing aimed to assess how well the app’s security mechanisms defend against various threats such as improper configuration, insecure storage, and vulnerabilities in app components. The audit examined several areas, including data security, WebView content handling, cryptographic practices, and misuse of sensitive components.

The findings highlight multiple security concerns, especially in terms of insecure storage, improper usage of WebViews, and outdated cryptographic practices. Recommendations to mitigate these vulnerabilities are provided to ensure the application’s robustness and prevent exploitation.

Scope of Testing

The security audit for the KCEX Android app involved assessing key areas for security flaws, including:

• WebView Security and Remote Content Handling

• SSL Pinning Implementation and Bypass Mechanisms

• Secure Storage and Data Leakage

• JavaScript Execution and Cross-Site Scripting (XSS) Risks

• Cryptographic Algorithms and Random Number Generation

• Sensitive Data Exposure and FileProvider Configuration

Methodology

The evaluation utilized both static and dynamic analysis approaches. Static analysis focused on examining the app’s source code, APK file, and configuration settings, while dynamic analysis included observing the app’s behavior during runtime, especially when manipulating inputs and attempting to exploit potential vulnerabilities.

Key Findings:

1\. Unsafe WebView Load from Remote Content or Local File System (Medium)

• The application improperly loads content into WebViews, potentially allowing attackers to inject malicious content from remote sources or local files. This opens up the possibility for a variety of attacks, such as injecting malicious JavaScript or performing Cross-Site Scripting (XSS) attacks.

2\. Improper SSL Pinning (Medium)

• The app implements SSL pinning incorrectly or incompletely, making it susceptible to Man-In-The-Middle (MITM) attacks. An attacker could potentially bypass SSL pinning and intercept sensitive data transmitted between the app and its backend services.

3\. Insecure Storage of Sensitive Data (Medium)

• Sensitive information, such as user credentials, tokens, or personal data, is stored insecurely, exposing it to potential theft or manipulation if the device is compromised. It is essential to store sensitive data using secure storage mechanisms like Android’s Keystore system.

4\. JavaScript Execution in WebView Leading to Potential XSS via /client/app/webview/BaseWebActivity (Medium)

• The app allows JavaScript execution within a WebView component, creating a potential vulnerability for Cross-Site Scripting (XSS) attacks. This could allow attackers to execute arbitrary scripts in the context of the app, potentially leading to data leakage or unauthorized actions.

5\. JavaScript Execution in WebView via /client/mvp/ui/activity/a.java (Medium)

• Similarly, JavaScript execution within the WebView component can be exploited by attackers to inject malicious code, potentially compromising the app’s security.

6\. Usage of Deprecated Cryptographic Algorithms (Low)

• The app utilizes outdated cryptographic algorithms that are vulnerable to modern attacks. For example, deprecated SSL/TLS protocols or weak encryption algorithms may expose sensitive data to interception.

7\. Insecure Random Number Generator (Low)

• The application uses an insecure random number generator, which could lead to predictable outcomes in cryptographic or session-related processes. This could undermine security mechanisms relying on randomness, such as session tokens or secure identifiers.

8\. Improper PendingIntent Usage (Low)

• The app misuses PendingIntent, which could potentially allow malicious apps or attackers to send unintended intents, leading to privilege escalation or unauthorized actions within the app.

9\. Sensitive Data Exposure via Keyboard Cache (Low)

• The app fails to securely handle sensitive information when entered via the keyboard. Caching sensitive data in an insecure manner could expose personal information if an attacker gains access to the cache.

10\. Misconfiguration in FileProvider Path (Low)

• The FileProvider component is misconfigured, potentially exposing sensitive files or allowing unauthorized access to local storage. Proper configuration of the FileProvider’s path and permissions should be implemented to limit access to only necessary files.

Conclusion

The KCEX Android application demonstrates several critical areas for improvement in security, particularly in how it handles WebViews, SSL pinning, and secure storage. Key vulnerabilities identified include insecure data storage, improper WebView configurations leading to JavaScript execution risks, and outdated cryptographic practices.

To improve the application’s security posture, we recommend:

• Enhancing WebView security to prevent unsafe content loading and implementing a secure JavaScript execution environment.

• Correctly implementing SSL pinning to protect data in transit.

• Storing sensitive data in the Android Keystore or using encryption for local storage.

• Replacing deprecated cryptographic algorithms with stronger, current standards.

• Ensuring proper configuration of components like PendingIntent and FileProvider.

By addressing these issues, KCEX can significantly reduce its vulnerability to attacks and improve the overall security of the application.

KCEX is a centralized cryptocurrency exchange established in 2021 and headquartered in Mahe, Seychelles.  The platform offers secure and convenient trading services for various digital assets, including Bitcoin and Ethereum, supporting both spot and futures trading with low fees suitable for both beginners and professional traders.

With a team of 51-200 employees, KCEX is dedicated to empowering both seasoned traders and aspiring crypto enthusiasts on their journey into the world of digital assets.  The platform provides a range of features to cater to users’ cryptocurrency trading needs, including futures trading and daily trading competitions.

KCEX emphasizes security by implementing robust security protocols, including storing 100% of user assets in cold wallets to protect against unauthorized access and potential breaches.  Additionally, the platform offers high-performance trading capabilities, with a matching engine capable of processing over 100,000 transactions per second (TPS), ensuring swift trade executions even during periods of high market volatility.

The exchange also provides a referral program where clients can earn rewards for inviting other traders to join the platform.  Furthermore, KCEX offers multilingual, high-quality services 24/7 to over 1 million users in dozens of countries worldwide.

As with any cryptocurrency exchange, it’s essential for users to exercise caution, conduct thorough research, and consider both the benefits and potential risks before engaging in trading activities on the platform.

Assets in Scope