Audit name:
[PT] KuCoin / iOS / Jan2025
Date:
Feb 7, 2025
Table of Content
Introduction
We express our gratitude to the KuCoin team for the collaborative engagement that enabled the execution of this Pentest.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for KuCoin |
| Audited By | Ece Orsel |
| Approved By | Stephen Ajayi |
| Website | www.kucoin.com, kucoin.com |
| Changelog | 05/02/2025 - Preliminary Report |
| Platform | iOS |
| Language | Swift |
| Tags | iOS Application Mobile Pentest |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for KuCoin
- Audited By
- Ece Orsel
- Approved By
- Stephen Ajayi
- Website
- www.kucoin.com, kucoin.com
- Changelog
- 05/02/2025 - Preliminary Report
- Platform
- iOS
- Language
- Swift
- Tags
- iOS Application Mobile Pentest
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Application | https://apps.apple.com/ae/app/kucoin-buy-bitcoin-crypto/id1378956601→ |
| Version | 3.121.3 |
Review Scope
- Version
- 3.121.3
Protect your dApp with insights like these.
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Threat Modeling and Attack Scenarios
As part of the security assessment for the iOS mobile application, this threat modeling report analyzes potential vulnerabilities specific to mobile app architecture, including insecure data storage, reverse engineering risks, and improper session management. The objective is to identify possible attack vectors, assess the associated risks, and recommend mitigations to enhance the application's security posture, safeguarding it against adversarial threats and ensuring the protection of sensitive user data and app functionality.
1\. Insecure Data Storage : Sensitive information (e.g., tokens, credentials) may be stored in insecure locations such as NSUserDefaults, exposing it to attackers with physical access or access via malware.
Potential Impact: If compromised, attackers can retrieve sensitive user data, leading to privacy violations, account takeovers, or other unauthorized actions.
2.Jailbreak Detection Bypass: iOS apps often include jailbreak detection to prevent running on compromised devices, but poorly implemented detection can be easily bypassed.
Potential Impact: Running the app on a jailbroken device can bypass security controls, allowing attackers to manipulate the app, access sensitive data, or disable key security features.
3.Insecure Code and Binary Protection: Lack of binary obfuscation or secure code signing makes it easier for attackers to decompile and understand the app's internal logic.
Potential Impact: Attackers can modify the app’s behavior, such as bypassing payment systems, altering functionality, or exploiting vulnerabilities in the code.
4.Insufficient Cryptography: Weak or improperly implemented cryptographic algorithms (e.g., hardcoded keys, weak encryption) leave sensitive data vulnerable to decryption.
Potential Impact: Attackers can decrypt sensitive data such as passwords or personal information, leading to data breaches or unauthorized access.
5.Insecure Application Logs: Logging sensitive information such as API responses or user data in the app’s logs can expose it to attackers with access to the device or the app’s logs.
Potential Impact: Attackers can extract sensitive information from logs, leading to account compromise or privacy violations.
6.Improper Certificate Pinning: Failure to implement certificate pinning leaves the app vulnerable to MitM attacks, where an attacker can intercept and manipulate data between the app and its server.
Potential Impact: Compromised communication allows attackers to steal sensitive information, manipulate transactions, or inject malicious data.
7.Insufficient TouchID/FaceID Protection: Inadequate implementation of biometric authentication can lead to unauthorized access if the biometric checks are bypassed or incorrectly verified.
Potential Impact: Attackers could bypass biometric authentication, gaining unauthorized access to sensitive app functions or user accounts.
8.Insecure Use of WebViews: WebViews embedded in the app can expose the app to client-side attacks like cross-site scripting (XSS) or insecure browser-based interactions.
Potential Impact: Attackers can execute malicious scripts or hijack sensitive user data through insecure WebView configurations.
9.Hardcoded Sensitive Data: Sensitive information, such as API keys, encryption keys, or tokens, may be hardcoded in the app's source code, which can be extracted through reverse engineering.
Potential Impact: Attackers can extract hardcoded secrets from the app’s binary, gaining access to backend services, sensitive user data, or performing unauthorized operations.
10\. Insecure Debugging Information: Debugging features left enabled in production builds may expose detailed system information, such as file paths, database queries, or application logic, which attackers can exploit.
Potential Impact: Attackers can exploit exposed debugging data to better understand the app’s architecture, identify weaknesses, and develop targeted attacks against the system.
11.Insecure Clipboard Handling: Sensitive data copied to the clipboard (e.g., passwords, tokens) can be accessed by other apps on the device, leading to data leakage.
Potential Impact: Attackers or malicious apps on the device can access clipboard data and extract sensitive information like authentication tokens, compromising accounts and user privacy.
Executive Summary
A security assessment of the KuCoin iOS application identified two low-risk vulnerabilities related to outdated dependencies. While these findings do not pose an immediate critical threat, they could potentially be leveraged in specific scenarios to compromise application integrity or user data. Addressing them proactively will improve the application's overall security posture.
1\. DOM Clobbering in Rollup (F-2025-8645)
The application uses an outdated version of Rollup (1.32.1), which contains a DOM Clobbering vulnerability (CVE-2024-47068). This flaw may allow attackers to manipulate document.currentScript using HTML elements with specific attributes (e.g., \<img name="currentScript">), potentially leading to minor cross-site scripting (XSS) risks in certain WebView implementations. While no direct exploitability was identified within the current app’s environment, mitigating this issue will enhance future security resilience.
2\. Use of Outdated Vulnerable Component: OpenCV 4.1.0 (F-2025-8629)
The application contains OpenCV v4.1.0, which is an outdated version with known memory safety vulnerabilities. These vulnerabilities could, in rare cases, be exploited by maliciously crafted image files to trigger denial-of-service (DoS) attacks or minor memory corruption issues. While no direct impact to user security was observed, upgrading to a newer OpenCV version would eliminate unnecessary risks associated with outdated libraries.
System Overview
KuCoin, a leading cryptocurrency exchange platform, is based in Singapore and was established in 2017 by Michael Gan. Operated by KuCoin Co., Ltd., it quickly rose to prominence for its intuitive interface, extensive selection of tradable assets, and a suite of features designed to accommodate the needs of both novice and seasoned cryptocurrency traders.
Component:
Android Mobile Application
iOS Mobile Application
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-8645 | DOM Clobbering in Rollup | unfixed | Low | |
| F-2025-8629 | Use of Outdated Vulnerable Component (OpenCV 4.1.0) | unfixed | Low |
Uncover findings like these to secure your project.
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following
Review Scope | |
|---|---|
| Application | https://apps.apple.com/ae/app/kucoin-buy-bitcoin-crypto/id1378956601→ |
| Version | 3.121.3 |
Review Scope
- Version
- 3.121.3
Assets in Scope
iOS