Introduction
We express our gratitude to the Ourbit team for the collaborative engagement that enabled the execution of this Pentest.
Ourbit for iOS ("Ourbit: Buy Bitcoin & Crypto") is the exchange’s official mobile app for buying, selling, and managing digital assets in a centralized trading environment. It focuses on a simple, user-friendly experience while giving access to core exchange features - spot markets today, with the broader Ourbit platform highlighting futures, frequent listings, and a “one-stop” approach to crypto trading.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Ourbit |
| Audited By | |
| Approved By | |
| Website | https://www.ourbit.com/→ |
| Changelog | 11/09/2025 - Preliminary Report |
| Changelog | 25/09/2025 -Final Report |
| Platform | iOS |
| Language | Swift |
| Tags | Mobile Application |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Ourbit
- Audited By
- Approved By
- Website
- https://www.ourbit.com/→
- Changelog
- 11/09/2025 - Preliminary Report
- Changelog
- 25/09/2025 -Final Report
- Platform
- iOS
- Language
- Swift
- Tags
- Mobile Application
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| AppStore | https://apps.apple.com/us/app/bybit-buy-bitcoin-crypto/id1488296980→ |
| Version | 1.12.0 |
Review Scope
- Version
- 1.12.0
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Ourbit for iOS is the mobile frontend to the Ourbit exchange, built to make account access and trading fast on the go. The app streamlines signup and signin with passkeys and Face ID, surfaces live market data and charts, and keeps your portfolio, watchlists, and price alerts close at hand - including Lock Screen updates via Live Activities. Push notifications keep you in the loop, while localization and a clean UI reduce exchange level complexity.
Inside the app, the primary flows center on getting users trading quickly and safely: creating or importing an account, securing it with biometrics, depositing crypto using address/QR workflows, and executing spot buy/sell orders for popular assets.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1280 | Bypassable jailbreak detection | fixed | Low | |
| F-2025-1281 | Missing Certificate Pinning | accepted | Observation | |
| F-2025-1280 | Insecure network configuration via NSAllowsArbitraryLoads (ATS Disabled) | accepted | Observation | |
| F-2025-1280 | Dart Observatory exposed in production via NSBonjourServices | accepted | Observation | |
| F-2025-1280 | Debug Information Present in Release Build | accepted | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| AppStore | https://apps.apple.com/us/app/ourbit-buy-bitcoin-crypto/id6483944320→ |
| Version | 1.12.0 |
Scope Details
- Version
- 1.12.0