Trustee Plus

Audit name:

[PT] Trustee | iOS | Feb2025

Date:

Mar 4, 2025

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Trustee Plus team for the collaborative engagement that enabled the execution of this Pentest.

Trustee Global is a company specializing in consulting services, with a notable focus on cryptocurrency solutions. One of Trustee Global's flagship products is the Trustee Plus mobile application. This app offers users a comprehensive digital finance platform, enabling the buying, selling, and swapping of cryptocurrencies.

Document
Name	Pentest and Security Analysis Report for Trustee Plus
Audited By	Stephen Ajayi
Approved By	Stephen Ajayi
Website	https://trusteeglobal.com/→
Changelog	24/02/2025 - Preliminary Report
Changelog	04/03/2025 - Retest Report
Platform	iOS
Tags	iOS, Pentest
Methodology	https://hackenio.cc/pentest_methodology→

Document
Name
Pentest and Security Analysis Report for Trustee Plus
Audited By
Stephen Ajayi
Approved By
Stephen Ajayi
Website
https://trusteeglobal.com/→
Changelog
24/02/2025 - Preliminary Report
Changelog
04/03/2025 - Retest Report
Platform
iOS
Tags
iOS, Pentest
Methodology
https://hackenio.cc/pentest_methodology→

Review Scope
iOS	https://testflight.apple.com/join/VMvbSSX3→
Version	1.32.5

Review Scope
iOS
https://testflight.apple.com/join/VMvbSSX3→
Version
1.32.5

Protect your dApp with insights like these.

Audit Summary

4Total Findings

1Resolved

3Accepted

0Mitigated

1high

1medium

1low

1observation

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

The objective of this penetration testing project was to evaluate the security posture of the Trustee Plus iOS mobile application. Given the app's role in handling sensitive financial data and facilitating cryptocurrency transactions, ensuring its security is paramount.

Scope of Testing:

Data Storage Security: Assessing how the application stores sensitive information, ensuring that data at rest is encrypted and protected against unauthorized access.
Network Communication: Analyzing the security of data in transit between the app and backend servers, verifying the implementation of secure communication protocols.
Authentication and Authorization: Evaluating the robustness of user authentication mechanisms and ensuring proper authorization controls are in place to prevent unauthorized actions.
Client-Side Vulnerabilities: Identifying potential weaknesses within the app's code and configuration that could be exploited on the client side.
Third-Party Integrations: Reviewing the security implications of external libraries and services integrated into the application.

Methodology:

The testing approach combined both static and dynamic analysis techniques:

Static Analysis: Inspecting the codebase for hardcoded secrets, insecure configurations, and potential vulnerabilities.
Dynamic Analysis: Running the application in a controlled environment to monitor its behavior, intercept network communications, and identify runtime vulnerabilities.

Findings

Code ―	Title	Status	Severity
F-2025-8943	Broken Authentication via Telegram OAuth2.0 – Mobile Number Spoofing Leading to Account Takeover	fixed	High
F-2025-8942	SSL Pinning Bypass in Trustee Plus	accepted	Medium
F-2025-8944	GraphQL Introspection Enabled in Production	accepted	Low
F-2025-8945	Lack of Screenshot Protection	accepted	Observation

1-4 of 4 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Scope Details
iOS	https://testflight.apple.com/join/VMvbSSX3→
Version	1.32.5

Scope Details
iOS
https://testflight.apple.com/join/VMvbSSX3→
Version
1.32.5

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Extractor by Hacken