Hacken
Audits
toobit
[PT] Toobit | Android | Apr2025

Toobit

Audit name:

[PT] Toobit | Android | Apr2025

Date:

Jun 20, 2025

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Toobit team for the collaborative engagement that enabled the execution of this Pentest.

Toobit is a cryptocurrency exchange platform that enables users to buy, sell, and trade a wide range of digital assets. It provides mobile and web interfaces for real-time trading, asset management, and wallet services. The system is designed to support high-throughput order execution, secure asset custody, and user account protection.

Document
Name	Pentest and Security Analysis Report for Toobit
Audited By	Faizan Nehal
Approved By	Stephen Ajayi
Website	https://www.toobit.com/en-US→
Changelog	21/05/2025 - Preliminary Report
Changelog	20/06/2025 - Final Report
Platform	Android
Language	Java
Methodology	https://hackenio.cc/pentest_methodology→

Document
Name
Pentest and Security Analysis Report for Toobit
Audited By
Faizan Nehal
Approved By
Stephen Ajayi
Website
https://www.toobit.com/en-US→
Changelog
21/05/2025 - Preliminary Report
Changelog
20/06/2025 - Final Report
Platform
Android
Language
Java
Methodology
https://hackenio.cc/pentest_methodology→

Review Scope
Android App	https://play.google.com/store/apps/details?id=com.planet.toobit&hl=en→
Version	1.9.4

Review Scope
Android App
https://play.google.com/store/apps/details?id=com.planet.toobit&hl=en→
Version
1.9.4

Protect your dApp with insights like these.

Audit Summary

6Total Findings

5Resolved

1Accepted

0Mitigated

1medium

5low

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

The Toobit Android application serves as the official mobile interface for the Toobit cryptocurrency exchange. It provides users with a secure and responsive platform to interact with their exchange accounts, perform real-time trading, manage digital assets, and access a variety of financial tools and services.

The app is developed using a hybrid architecture, primarily built on React Native, with native Android components for performance-critical modules such as WebView rendering and third-party SDK integration. It interfaces with Toobit’s backend APIs over HTTPS, supporting encrypted communication for all user and transaction data.

The application communicates with Toobit’s centralized backend, which handles core exchange logic, account services, asset storage, and transaction processing. The backend enforces access control, rate limiting, and session management to maintain platform integrity.

Findings

Code ―	Title	Status	Severity
F-2025-1050	Bypass Insecure Root Detection Mechanism	fixed	Medium
F-2025-1051	WebView Debugging Enabled in Release Build	fixed	Low
F-2025-1051	Cleartext Traffic Enabled for the Application	fixed	Low
F-2025-1050	App Allows Installation on Outdated Android Versions	accepted	Low
F-2025-1050	Exported Components with No Protection	fixed	Low
F-2025-1050	Lack of Code Obfuscation	fixed	Low

1-6 of 6 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Scope Details
Android Application	https://play.google.com/store/apps/details?id=com.planet.toobit&hl=en→
Version	1.9.4

Scope Details
Android Application
https://play.google.com/store/apps/details?id=com.planet.toobit&hl=en→
Version
1.9.4

Disclaimer

Hacken Disclaimer

Technical Disclaimer