Prepared by:
HALBORN
Last Updated 11/14/2025
Date of Engagement: December 30th, 2024 - January 22nd, 2025
100% of all REPORTED Findings have been addressed
All findings
35
Critical
0
High
3
Medium
15
Low
17
Informational
0
InFlux Technologies engaged Halborn to conduct a security assessment of their applications. The security assessment was scoped to their browser extension, their respective underlying API, and mobile applications (Android and iOS). Halborn was provided access to the application and its respective source code to conduct security testing using tools to scan, detect, and validate possible vulnerabilities found in the application and report the findings at the end of the engagement.
The team at Halborn was provided a timeline for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile, recon, discovery & infrastructure penetration testing.
The security assessment identified several vulnerabilities across the application ecosystem, affecting extension, backend, API, and mobile platforms. High-risk issues include the exposure of sensitive mnemonic phrases in memory and insecure storage of PINs on iOS, which could lead to unauthorized access and compromise user accounts. Hardcoded secrets found in public repositories further heighten the risk of exploitation. Medium-risk findings included biometric authentication bypass on Android and iOS, insecure trust in device-level biometrics, and the potential exposure of sensitive data due to insecure clipboard usage. Vulnerable third-party dependencies and lack of rate limitation on critical API endpoints were also observed, which could result in denial-of-service attacks or sensitive data leaks.
Other significant issues included weak password policies, unrestricted Content-Security-Policy configurations, and the use of insecure accessibility attributes in iOS keychain storage. The insecure handling of third-party iframes and risks associated with overlay attacks on Android were noted as medium to low risk but require attention to ensure robust protection against phishing and impersonation. Lower-severity issues, such as the support for outdated TLS versions, cacheable HTTPS responses, verbose logging, and lack of anti-tampering and anti-hooking mechanisms, were also documented. While these may not pose an immediate threat, addressing them will enhance the overall security posture. Mitigating these vulnerabilities will improve the overall security posture of the applications.
The InFlux Technologies team addressed most of the identified issues, with one partially resolved, some marked as risk accepted, and others scheduled for resolution in future builds of the application.
Halborn followed Whitebox and Blackbox methodology as per the scope and performed a combination of manual and automated security testing with both to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it. The assessment methodology covered included but was not limited to a range of phases and employed various tools.
Mapping Content and Functionality of Applications
Application Logic Flaw
Reverse Engineering the applications
Access Handling
Authentication/Authorization Flaw
Transaction Flow
Rate Limitations Test
Input Handling
Source Code Review
Mobile Specific Vulnerabilities
Fuzzing of all input parameter
URL/API:
https://relay.ssp.runonflux.io/
Binaries:
Android APK: Version 1.5.1
iOS IPA: Version 1.5.1 Build 92
Browser Extension: v1.8.4
Critical
0
High
3
Medium
15
Low
17
Informational
0
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| HAL-26 - BE - MNEMONIC PHRASE EXPOSURE IN MEMORY | High | Solved - 02/13/2025 |
| HAL-04 - iOS - INSECURE STORAGE OF PIN | High | Solved - 02/18/2025 |
| HAL-29 - HARCODED SECRETS IN GIT HISTORY | High | Solved - 01/28/2025 |
| HAL-17 - iOS - BIOMETRIC AUTHENTICATION BYPASS | Medium | Solved - 02/16/2025 |
| HAL-18 - ANDROID - FINGERPRINT AUTHENTICATION BYPASS | Medium | Solved - 02/16/2025 |
| HAL-31 - iOS - ALLOWING SENSITIVE DATA TO BE COPIED TO CLIPBOARD | Medium | Solved - 02/16/2025 |
| HAL-07 - ANDROID - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATION | Medium | Solved - 02/16/2025 |
| HAL-08 - iOS - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATION | Medium | Solved - 02/12/2025 |
| HAL-01 - VULNERABLE THIRD-PARTY DEPENDENCIES | Medium | Solved - 02/24/2025 |
| HAL-23 - API - LACK OF RATE LIMITATION ON SSP RELAY ENDPOINTS | Medium | Solved - 01/28/2025 |
| HAL-27 - API - LACK OF DATA SANITIZATION AND VALIDATION OF LIMITS | Medium | Solved - 01/28/2025 |
| HAL-05 - iOS - INSECURE ACCESSIBILITY ATTRIBUTES IN KEYCHAIN STORAGE | Medium | Solved - 02/18/2025 |
| HAL-22 - BE - POTENTIAL RISK OF SENSITIVE DATA EXPOSURE THROUGH CLIPBOARD | Medium | Solved - 02/13/2025 |
| HAL-10 - MOBILE - WEAK PASSWORD POLICY | Medium | Solved - 02/13/2025 |
| HAL-33 - ANDROID - EXPOSURE OF SENSITIVE DATA THROUGH CLIPBOARD | Medium | Solved - 02/16/2025 |
| HAL-03 - BE - UNRESTRICTIVE CONTENT-SECURITY-POLICY (CSP) | Medium | Solved - 01/29/2025 |
| HAL-25 - BE - POTENTIAL RISK DUE TO THIRD-PARTY IFRAME | Medium | Solved - 01/14/2025 |
| HAL-32 - ANDROID - RISK OF OVERLAY ATTACK | Medium | Partially Solved - 02/24/2025 |
| HAL-30 - API - OUTDATED VERSIONS OF TLS SUPPORTED | Low | Solved - 01/28/2025 |
| HAL-14 - API - CACHEABLE HTTPS RESPONSE | Low | Solved - 01/28/2025 |
| HAL-15 - iOS - LACK OF JAILBREAK DETECTION MECHANISM | Low | Solved - 02/18/2025 |
| HAL-16 - ANDROID - LACK OF ROOT DETECTION MECHANISM | Low | Solved - 02/18/2025 |
| HAL-02 - BE - DEPENDENCIES SHOULD BE PINNED TO EXACT VERSIONS | Low | Solved - 01/30/2025 |
| HAL-12 - iOS - CERTIFICATE PINNING BYPASS | Low | Future Release - 02/20/2025 |
| HAL-13 - ANDROID - CERTIFICATE PINNING BYPASS | Low | Future Release - 02/20/2025 |
| HAL-35 - IOS - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMS | Low | Future Release - 02/20/2025 |
| HAL-34 - ANDROID - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMS | Low | Future Release - 02/20/2025 |
| HAL-28 - BE - VERBOSE LOGGING IN EXTENSION | Low | Solved - 01/30/2025 |
| HAL-06 - BE - LACK OF PASSWORD COMPLEXITY AND PASSWORD POLICY | Low | Solved - 01/30/2025 |
| HAL-09 - iOS - PERSISTENT KEYCHAIN DATA | Low | Solved - 02/24/2025 |
| HAL-11 - iOS - BACKGROUND SCREEN CACHING | Low | Solved - 02/18/2025 |
| HAL-19 - ANDROID - BACKGROUND SCREEN CACHING | Low | Solved - 02/16/2025 |
| HAL-24 - ANDROID - TRANSACTION DATA EXPOSED IN LOGS | Low | Solved - 02/16/2025 |
| HAL-21 - iOS - APPLICATION ALLOWS SCREENSHOTS | Low | Future Release - 02/18/2025 |
| HAL-20 - ANDROID - APPLICATION ALLOWS SCREENSHOTS | Low | Solved - 02/16/2025 |
//High
//High
//High
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
InFlux - SSP Wallet, Relay and Key - WebApp Pentest
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
