Hacken
Audits
voox
[PT] VOOX | iOS | Jan2025

VOOX

Audit name:

[PT] VOOX | iOS | Jan2025

Date:

Feb 4, 2025

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the VOOX team for the collaborative engagement that enabled the execution of this Pentest.

VOOX is a cryptocurrency exchange platform that leverages AI technology for trading operations. The platform provides mobile-first trading capabilities with real-time market data and AI-driven insights.

Document
Name	Pentest and Security Analysis Report for VOOX
Audited By	Ece Orsel
Approved By	Stephen Ajayi
Website	https://www.voox.com/→
Changelog	14/01/2025 - Preliminary Report
Changelog	04/02/2025 - Final Report
Language	Flutter
Tags	Pentest
Methodology	https://hackenio.cc/pentest_methodology→
Platform	iOS

Document
Name
Pentest and Security Analysis Report for VOOX
Audited By
Ece Orsel
Approved By
Stephen Ajayi
Website
https://www.voox.com/→
Changelog
14/01/2025 - Preliminary Report
Changelog
04/02/2025 - Final Report
Language
Flutter
Tags
Pentest
Methodology
https://hackenio.cc/pentest_methodology→
Platform
iOS

Review Scope
Mobile application	https://apps.apple.com/app/voox-buy-btc-and-trade-crypto/id6670600403→

Review Scope
Mobile application
https://apps.apple.com/app/voox-buy-btc-and-trade-crypto/id6670600403→

Protect your dApp with insights like these.

Audit Summary

9Total Findings

1Resolved

8Accepted

0Mitigated

1low

8observation

Findings overall

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

Core Components

Mobile Application

Native mobile apps for iOS and Android
Real-time trading interface
Local secure storage implementation
Biometric authentication support

Backend Services

Trading engine with AI analytics
User account management
Order matching system
Wallet management
Market data processing

Security Features

Two-factor authentication
KYC/AML integration
Anti-fraud monitoring
Real-time transaction monitoring

Communication

REST APIs over HTTPS
WebSocket for real-time data
Certificate pinning
API versioning

Data Storage

Secure local storage on mobile
Encrypted credentials
Market data caching
User account database
Transaction history

ThirdParty Integration

Payment processors
KYC providers
Market data feeds
Analytics services

Findings

Code ―	Title	Status	Severity
F-2025-8198	Sensitive Data Exposure in iOS Snapshots	fixed	Low
F-2025-8194	Information Exposure via iOS Clipboard	accepted	Observation
F-2025-8192	Lack of Anti-Hook and Anti-Debug Mechanism	accepted	Observation
F-2025-8191	Lack of Jailbreak Detection Mechanism	accepted	Observation
F-2025-8190	SSL Pinnig Bypass	accepted	Observation
F-2025-8136	HSTS Not Enforced	accepted	Observation
F-2025-8133	Invalidate 'Sign' after one use	accepted	Observation
F-2025-8132	No device validation for new devices login	accepted	Observation
F-2025-8142	Misconfigured Cache can lead to PII exposure via Web Cache Deception	accepted	Observation

1-9 of 9 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following mobile application provided by the client:

Scope Details
Mobile application	https://apps.apple.com/app/voox-buy-btc-and-trade-crypto/id6670600403→

Scope Details
Mobile application
https://apps.apple.com/app/voox-buy-btc-and-trade-crypto/id6670600403→

Assets in Scope

iOS - iOS

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Extractor by Hacken