Pionex

We express our gratitude to the Pionex team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

Pionex is a crypto trading bot currently available that trades automatically 24/7 in the cloud

The system users should acknowledge all the risks summed up in the risks section of the report

Executive Summary

The conclusions from the security evaluation carried out on the Android application are presented in this executive summary. The purpose of the testing was to find potential weaknesses and assess how well the application has security mechanisms in place to defend itself against several penetration testing techniques, such as tampering, dynamic analysis, reverse engineering and leakage of sensitive information.

From our evaluation we found the Android application is secure and well protected against different kinds of attacks.

Scope of testing

The security audit for the Android application focused on evaluating key areas such as:

• Resistance Against SSL Pinning Bypass

• Code Obfuscation and Leakage of Sensitive Information

• Network Communication Security

• Dynamic Analysis and Debugging Protections

• Local Data Storage Security

Methodology

The evaluation covered both static and dynamic analysis methods.  Static analysis looked for possible security flaws or vulnerabilities by analyzing the APK file and all of its components, including manifest files and libraries. While in dynamic analysis we observed the application's behavior during runtime, particularly in response to possible tampering or debugging attempts.

Key Findings

Resistance Against SSL Pinning Bypass

Our evaluation indicated that the application was adequately safeguarded against techniques that could circumvent the SSL pinning and intercept the communication between the application and the server. A malicious actor would not be able to intercept the communications because of these safeguards. We attempted to get around the security measures by altering the code and recompiling the APK, but the security measures were strong enough to identify them.

Code Obfuscation and Leakage of Sensitive Information

For the purpose of looking for sensitive information in the code we decompile the APK, and the obfuscated code was examined manually and using automated tools in order to assess if the application is leaking any sensitive information in the code. Few API keys were identified to be leaking in the code but upon further evaluation of those keys they were deemed to be false positives. At the end of our code evaluation, we concluded that the app employed secure techniques and no sensitive keys or information was leaked at any point.

Network Communication Security

The security of network communications was assessed to ensure that sensitive data is transmitted securely. The application uses HTTPS to encrypt communications between the client and the server and all the algorithms being used were safe and secure.

Dynamic Analysis and Debugging Protections

The application was tested for its ability to detect and mitigate dynamic analysis and debugging attempts. The results indicate that the application was resistant to much dynamic analysis, which was a good thing, therefore most of the analysis we performed in this step was static. We utilized different tools for static analysis which gave us a report regarding the security status of the app and we manually verified all the flaws present in the report. During the static analysis we took a detailed look at the AndroidManifest file.

Local Data Storage Security

The assessment reviewed how the application handles sensitive data stored locally on the device and what encryption mechanisms were being used. Besides this, we also verified whether other applications would have access to the data stored by the OKX android application. With this assessment, we found no flaw in the data storage mechanism.

Conclusion

The Android application's security review shows that security controls are implemented well in a number of important areas. The application effectively makes use of secure network connections, demonstrates robust resistance to SSL pinning bypass approaches, and guarantees that no sensitive data is exposed through code or local data storage. The application's impressive defenses against debugging and dynamic analysis attempts further strengthen its security posture.

Even though the evaluation did not find any noteworthy vulnerabilities, it is still important to remain vigilant because mobile security is a field that is always changing. The application will be kept safe from new threats by regular upgrades and continuous testing.  Overall, the results highlight the application's trustworthiness by confirming that it is well-equipped to shield its users' data from a variety of potential threats.

Pionex is a cryptocurrency exchange that offers a range of trading features and tools, primarily known for its automated trading bots.

Assets in Scope