MEXC

We express our gratitude to the MEXC team for the collaborative engagement that enabled the execution of this Pentest.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling and Attack Scenarios

As part of the security assessment for the iOS mobile application, this threat modeling report analyzes potential vulnerabilities specific to mobile app architecture, including insecure data storage, reverse engineering risks, and improper session management. The objective is to identify possible attack vectors, assess the associated risks, and recommend mitigations to enhance the application's security posture, safeguarding it against adversarial threats and ensuring the protection of sensitive user data and app functionality.

1\. Insecure Data Storage : Sensitive information (e.g., tokens, credentials) may be stored in insecure locations such as NSUserDefaults, exposing it to attackers with physical access or access via malware.

• Potential Impact: If compromised, attackers can retrieve sensitive user data, leading to privacy violations, account takeovers, or other unauthorized actions.

2.Jailbreak Detection Bypass: iOS apps often include jailbreak detection to prevent running on compromised devices, but poorly implemented detection can be easily bypassed.

• Potential Impact: Running the app on a jailbroken device can bypass security controls, allowing attackers to manipulate the app, access sensitive data, or disable key security features.

3.Insecure Code and Binary Protection: Lack of binary obfuscation or secure code signing makes it easier for attackers to decompile and understand the app's internal logic.

• Potential Impact: Attackers can modify the app’s behavior, such as bypassing payment systems, altering functionality, or exploiting vulnerabilities in the code.

4.Insufficient Cryptography: Weak or improperly implemented cryptographic algorithms (e.g., hardcoded keys, weak encryption) leave sensitive data vulnerable to decryption.

• Potential Impact: Attackers can decrypt sensitive data such as passwords or personal information, leading to data breaches or unauthorized access.

5.Insecure Application Logs: Logging sensitive information such as API responses or user data in the app’s logs can expose it to attackers with access to the device or the app’s logs.

• Potential Impact: Attackers can extract sensitive information from logs, leading to account compromise or privacy violations.

6.Improper Certificate Pinning: Failure to implement certificate pinning leaves the app vulnerable to MitM attacks, where an attacker can intercept and manipulate data between the app and its server.

• Potential Impact: Compromised communication allows attackers to steal sensitive information, manipulate transactions, or inject malicious data.

7.Insufficient TouchID/FaceID Protection: Inadequate implementation of biometric authentication can lead to unauthorized access if the biometric checks are bypassed or incorrectly verified.

• Potential Impact: Attackers could bypass biometric authentication, gaining unauthorized access to sensitive app functions or user accounts.

8.Insecure Use of WebViews: WebViews embedded in the app can expose the app to client-side attacks like cross-site scripting (XSS) or insecure browser-based interactions.

• Potential Impact: Attackers can execute malicious scripts or hijack sensitive user data through insecure WebView configurations.

9.Hardcoded Sensitive Data: Sensitive information, such as API keys, encryption keys, or tokens, may be hardcoded in the app's source code, which can be extracted through reverse engineering.

• Potential Impact: Attackers can extract hardcoded secrets from the app’s binary, gaining access to backend services, sensitive user data, or performing unauthorized operations.

10\. Insecure Debugging Information: Debugging features left enabled in production builds may expose detailed system information, such as file paths, database queries, or application logic, which attackers can exploit.

• Potential Impact: Attackers can exploit exposed debugging data to better understand the app’s architecture, identify weaknesses, and develop targeted attacks against the system.

11.Insecure Clipboard Handling: Sensitive data copied to the clipboard (e.g., passwords, tokens) can be accessed by other apps on the device, leading to data leakage.

• Potential Impact: Attackers or malicious apps on the device can access clipboard data and extract sensitive information like authentication tokens, compromising accounts and user privacy.

Executive Summary

During the security assessment, several vulnerabilities were identified with varying severity levels, primarily related to mobile application security. Notably, a Medium-risk vulnerability:

• SSL Pinning Bypass, (F-2025-9082) was identified, potentially exposing sensitive data to man-in-the-middle (MITM) attacks.

Additionally, the assessment revealed three Low-risk issues:

• Password reuse allowed during password reset flow (F-2025-9102), increasing the risk of compromised accounts.

• Lack of Jailbreak Detection Mechanism (F-2025-9048), which leaves the application vulnerable to execution in insecure environments.

• Password reuse allowed during password resets (F-2025-9102), reducing account security.

• Lack of Jailbreak Detection (F-2025-9048), potentially increasing risks on compromised devices.

Overall, addressing these vulnerabilities will significantly enhance the application's resilience and user data protection.

Founded in 2018, MEXC is a cryptocurrency exchange recognized for its high-performance and mega transaction matching technology. The platform's trading system employs a multi-layered and multi-cluster architecture, enabling it to process up to 1.4 million transactions per second, ensuring efficiency and stability. MEXC's team comprises early movers and pioneers in financial and blockchain technology. Currently, MEXC serves over 10 million users across more than 170 countries and regions worldwide, aiming to be the preferred platform for both new traders and experienced investors. ​

Key Features of the MEXC Mobile App: Extensive Cryptocurrency Support: The app provides access to over 3,000 listed trading pairs, allowing users to explore a vast array of investment opportunities. ​

User-Friendly Interface: Designed with both beginners and experienced traders in mind, the app features an intuitive layout that simplifies navigation and trading operations.​

Advanced Trading Tools: Users can utilize various technical indicators and charting tools to analyze market trends and make informed trading decisions directly from their mobile devices. ​

Real-Time Market Data: Stay updated with live price movements, order book details, and trade histories to ensure timely and strategic trading actions.​

Secure Transactions: The app incorporates robust security measures, including two-factor authentication (2FA), to protect user accounts and assets.​

Flexible Deposit and Withdrawal Options: Users can easily deposit and withdraw funds through various payment methods, including Visa, Mastercard, bank transfers, Apple Pay, Google Pay, and cryptocurrency transfers

The scope of the project includes the following