Introduction
We express our gratitude to the Toobit team for the collaborative engagement that enabled the execution of this Mobile Pentest.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Toobit |
| Audited By | Ece Orsel |
| Approved By | Stephen Ajayi |
| Website | https://www.toobit.com/→ |
| Changelog | 09/05/2025 - Preliminary Report |
| Platform | iOS Mobile |
| Language | Swift |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Toobit
- Audited By
- Ece Orsel
- Approved By
- Stephen Ajayi
- Website
- https://www.toobit.com/→
- Changelog
- 09/05/2025 - Preliminary Report
- Platform
- iOS Mobile
- Language
- Swift
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| App Store | https://apps.apple.com/us/app/toobit-buy-btc-eth-crypto/id1660882885→ |
| Version | 1.9.4/194 |
Review Scope
- Version
- 1.9.4/194
Protect your dApp with insights like these.
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Toobit is a centralized cryptocurrency exchange established in 2022. It serves over 3 million users across more than 100 countries, offering a comprehensive suite of trading services, including spot trading, derivatives, copy trading, and automated trading bots.
The Toobit iOS mobile application integrates with the platform’s backend services to facilitate various trading operations. Key functionalities include:
Spot Trading API: Enables users to perform spot trading operations, such as market data retrieval, account management, and order execution.
USDT Swap Trading API: Allows users to trade perpetual contracts settled in USDT, offering similar features to the Spot Trading API but tailored for derivatives trading.
The application manages several critical asset categories:
User Data: Personal information, account balances, and transaction history.
Authentication Credentials: API keys, tokens, and secret keys used to access the APIs.
Financial Transactions: Order placements, cancellations, and trade executions.
Market Data: Real-time and historical price information.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1020 | Sensitive Information Stored in NSUserDefaults | accepted | Medium | |
| F-2025-1020 | Insecure SSL Pinning Implementation in Flutter | accepted | Medium | |
| F-2025-1019 | Jailbreak Detection Bypass | accepted | Medium | |
| F-2025-1021 | Lack of Anti-Hook and Anti-Debug Mechanism | accepted | Low | |
| F-2025-1021 | Sensitive Data Exposure in iOS Snapshots | fixed | Low | |
| F-2025-1021 | Information Exposure via iOS Clipboard | accepted | Low | |
| F-2025-1021 | Third-Party Keyboards Are Allowed | accepted | Low |
Uncover findings like these to secure your project.
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Review Scope | |
|---|---|
| App Store | https://apps.apple.com/us/app/toobit-buy-btc-eth-crypto/id1660882885→ |
| Version | 1.9.4/194 |
Review Scope
- Version
- 1.9.4/194