← Back to Audits

InFlux - SSP Wallet, Relay and Key - WebApp Pentest - InFlux Technologies

Prepared by:

Halborn Logo

HALBORN

Last Updated 11/14/2025

Date of Engagement: December 30th, 2024 - January 22nd, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

35

Critical

0

High

3

Medium

15

Low

17

Informational

0

Table of Contents

1. Introduction

InFlux Technologies engaged Halborn to conduct a security assessment of their applications. The security assessment was scoped to their browser extension, their respective underlying API, and mobile applications (Android and iOS). Halborn was provided access to the application and its respective source code to conduct security testing using tools to scan, detect, and validate possible vulnerabilities found in the application and report the findings at the end of the engagement.

2. Assessment Summary

The team at Halborn was provided a timeline for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile, recon, discovery & infrastructure penetration testing.

The security assessment identified several vulnerabilities across the application ecosystem, affecting extension, backend, API, and mobile platforms. High-risk issues include the exposure of sensitive mnemonic phrases in memory and insecure storage of PINs on iOS, which could lead to unauthorized access and compromise user accounts. Hardcoded secrets found in public repositories further heighten the risk of exploitation. Medium-risk findings included biometric authentication bypass on Android and iOS, insecure trust in device-level biometrics, and the potential exposure of sensitive data due to insecure clipboard usage. Vulnerable third-party dependencies and lack of rate limitation on critical API endpoints were also observed, which could result in denial-of-service attacks or sensitive data leaks.

Other significant issues included weak password policies, unrestricted Content-Security-Policy configurations, and the use of insecure accessibility attributes in iOS keychain storage. The insecure handling of third-party iframes and risks associated with overlay attacks on Android were noted as medium to low risk but require attention to ensure robust protection against phishing and impersonation. Lower-severity issues, such as the support for outdated TLS versions, cacheable HTTPS responses, verbose logging, and lack of anti-tampering and anti-hooking mechanisms, were also documented. While these may not pose an immediate threat, addressing them will enhance the overall security posture. Mitigating these vulnerabilities will improve the overall security posture of the applications.

The InFlux Technologies team addressed most of the identified issues, with one partially resolved, some marked as risk accepted, and others scheduled for resolution in future builds of the application.

3. Test Approach and Methodology

Halborn followed Whitebox and Blackbox methodology as per the scope and performed a combination of manual and automated security testing with both to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it. The assessment methodology covered included but was not limited to a range of phases and employed various tools.

    • Mapping Content and Functionality of Applications

    • Application Logic Flaw

    • Reverse Engineering the applications

    • Access Handling

    • Authentication/Authorization Flaw

    • Transaction Flow

    • Rate Limitations Test

    • Input Handling

    • Source Code Review

    • Mobile Specific Vulnerabilities

    • Fuzzing of all input parameter

4. Scope

URL/API:

https://relay.ssp.runonflux.io/

Binaries:

    • Android APK: Version 1.5.1

    • iOS IPA: Version 1.5.1 Build 92

    • Browser Extension: v1.8.4



5. RISK METHODOLOGY

Halborn assesses the severity of findings using either the Common Vulnerability Scoring System (CVSS) framework or the Impact/Likelihood Risk scale, depending on the engagement. CVSS is an industry standard framework for communicating characteristics and severity of vulnerabilities in software. Details can be found in the CVSS Specification Document published by F.I.R.S.T.
Vulnerabilities or issues observed by Halborn scored on the Impact/Likelihood Risk scale are measured by the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

6. SCOPE

REPOSITORIES
(a) Repository: ssp-relay
(b) Assessed Commit ID: 98a7d85
(a) Repository: ssp-wallet
(b) Assessed Commit ID: 4f8c894
(a) Repository: ssp-key
(b) Assessed Commit ID: e346264
Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

0

High

3

Medium

15

Low

17

Informational

0

Security analysisRisk levelRemediation Date
HAL-26 - BE - MNEMONIC PHRASE EXPOSURE IN MEMORYHighSolved - 02/13/2025
HAL-04 - iOS - INSECURE STORAGE OF PINHighSolved - 02/18/2025
HAL-29 - HARCODED SECRETS IN GIT HISTORYHighSolved - 01/28/2025
HAL-17 - iOS - BIOMETRIC AUTHENTICATION BYPASSMediumSolved - 02/16/2025
HAL-18 - ANDROID - FINGERPRINT AUTHENTICATION BYPASSMediumSolved - 02/16/2025
HAL-31 - iOS - ALLOWING SENSITIVE DATA TO BE COPIED TO CLIPBOARDMediumSolved - 02/16/2025
HAL-07 - ANDROID - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATIONMediumSolved - 02/16/2025
HAL-08 - iOS - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATIONMediumSolved - 02/12/2025
HAL-01 - VULNERABLE THIRD-PARTY DEPENDENCIESMediumSolved - 02/24/2025
HAL-23 - API - LACK OF RATE LIMITATION ON SSP RELAY ENDPOINTSMediumSolved - 01/28/2025
HAL-27 - API - LACK OF DATA SANITIZATION AND VALIDATION OF LIMITSMediumSolved - 01/28/2025
HAL-05 - iOS - INSECURE ACCESSIBILITY ATTRIBUTES IN KEYCHAIN STORAGEMediumSolved - 02/18/2025
HAL-22 - BE - POTENTIAL RISK OF SENSITIVE DATA EXPOSURE THROUGH CLIPBOARDMediumSolved - 02/13/2025
HAL-10 - MOBILE - WEAK PASSWORD POLICYMediumSolved - 02/13/2025
HAL-33 - ANDROID - EXPOSURE OF SENSITIVE DATA THROUGH CLIPBOARDMediumSolved - 02/16/2025
HAL-03 - BE - UNRESTRICTIVE CONTENT-SECURITY-POLICY (CSP)MediumSolved - 01/29/2025
HAL-25 - BE - POTENTIAL RISK DUE TO THIRD-PARTY IFRAMEMediumSolved - 01/14/2025
HAL-32 - ANDROID - RISK OF OVERLAY ATTACKMediumPartially Solved - 02/24/2025
HAL-30 - API - OUTDATED VERSIONS OF TLS SUPPORTEDLowSolved - 01/28/2025
HAL-14 - API - CACHEABLE HTTPS RESPONSELowSolved - 01/28/2025
HAL-15 - iOS - LACK OF JAILBREAK DETECTION MECHANISMLowSolved - 02/18/2025
HAL-16 - ANDROID - LACK OF ROOT DETECTION MECHANISMLowSolved - 02/18/2025
HAL-02 - BE - DEPENDENCIES SHOULD BE PINNED TO EXACT VERSIONSLowSolved - 01/30/2025
HAL-12 - iOS - CERTIFICATE PINNING BYPASSLowFuture Release - 02/20/2025
HAL-13 - ANDROID - CERTIFICATE PINNING BYPASSLowFuture Release - 02/20/2025
HAL-35 - IOS - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMSLowFuture Release - 02/20/2025
HAL-34 - ANDROID - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMSLowFuture Release - 02/20/2025
HAL-28 - BE - VERBOSE LOGGING IN EXTENSIONLowSolved - 01/30/2025
HAL-06 - BE - LACK OF PASSWORD COMPLEXITY AND PASSWORD POLICYLowSolved - 01/30/2025
HAL-09 - iOS - PERSISTENT KEYCHAIN DATALowSolved - 02/24/2025
HAL-11 - iOS - BACKGROUND SCREEN CACHINGLowSolved - 02/18/2025
HAL-19 - ANDROID - BACKGROUND SCREEN CACHINGLowSolved - 02/16/2025
HAL-24 - ANDROID - TRANSACTION DATA EXPOSED IN LOGSLowSolved - 02/16/2025
HAL-21 - iOS - APPLICATION ALLOWS SCREENSHOTSLowFuture Release - 02/18/2025
HAL-20 - ANDROID - APPLICATION ALLOWS SCREENSHOTSLowSolved - 02/16/2025

8. Findings & Tech Details

8.1 HAL-26 - BE - MNEMONIC PHRASE EXPOSURE IN MEMORY

//

High

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L(8.4)
Recommendation
Remediation Comment

8.2 HAL-04 - iOS - INSECURE STORAGE OF PIN

//

High

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L(7.7)
Recommendation
Remediation Comment

8.3 HAL-29 - HARCODED SECRETS IN GIT HISTORY

//

High

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N(7.4)
Recommendation
Remediation Comment

8.4 HAL-17 - iOS - BIOMETRIC AUTHENTICATION BYPASS

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N(6.3)
Recommendation
Remediation Comment

8.5 HAL-18 - ANDROID - FINGERPRINT AUTHENTICATION BYPASS

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N(6.3)
Recommendation
Remediation Comment

8.6 HAL-31 - iOS - ALLOWING SENSITIVE DATA TO BE COPIED TO CLIPBOARD

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N(5.9)
Recommendation
Remediation Comment

8.7 HAL-07 - ANDROID - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATION

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N(5.6)
Recommendation
Remediation Comment

8.8 HAL-08 - iOS - INSECURE TRUST OF DEVICE-LEVEL BIOMETRIC AUTHENTICATION

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N(5.6)
Recommendation
Remediation Comment

8.9 HAL-01 - VULNERABLE THIRD-PARTY DEPENDENCIES

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N(5.4)
Recommendation
Remediation Comment

8.10 HAL-23 - API - LACK OF RATE LIMITATION ON SSP RELAY ENDPOINTS

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L(5.3)
Recommendation
Remediation Comment

8.11 HAL-27 - API - LACK OF DATA SANITIZATION AND VALIDATION OF LIMITS

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L(5.3)
Recommendation
Remediation Comment

8.12 HAL-05 - iOS - INSECURE ACCESSIBILITY ATTRIBUTES IN KEYCHAIN STORAGE

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N(5.2)
Recommendation
Remediation Comment

8.13 HAL-22 - BE - POTENTIAL RISK OF SENSITIVE DATA EXPOSURE THROUGH CLIPBOARD

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N(4.8)
Recommendation
Remediation Comment

8.14 HAL-10 - MOBILE - WEAK PASSWORD POLICY

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N(4.4)
Recommendation
Remediation Comment

8.15 HAL-33 - ANDROID - EXPOSURE OF SENSITIVE DATA THROUGH CLIPBOARD

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N(4.4)
Recommendation
Remediation Comment

8.16 HAL-03 - BE - UNRESTRICTIVE CONTENT-SECURITY-POLICY (CSP)

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N(4.2)
Recommendation
Remediation Comment

8.17 HAL-25 - BE - POTENTIAL RISK DUE TO THIRD-PARTY IFRAME

//

Medium

Description
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N(4.2)
Recommendation
Remediation Comment

8.18 HAL-32 - ANDROID - RISK OF OVERLAY ATTACK

//

Medium

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N(4.2)
Recommendation
Remediation Comment

8.19 HAL-30 - API - OUTDATED VERSIONS OF TLS SUPPORTED

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(3.7)
Recommendation
Remediation Comment

8.20 HAL-14 - API - CACHEABLE HTTPS RESPONSE

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(3.7)
Recommendation
Remediation Comment

8.21 HAL-15 - iOS - LACK OF JAILBREAK DETECTION MECHANISM

//

Low

Description
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N(3.6)
Recommendation
Remediation Comment

8.22 HAL-16 - ANDROID - LACK OF ROOT DETECTION MECHANISM

//

Low

Description
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N(3.6)
Recommendation
Remediation Comment

8.23 HAL-02 - BE - DEPENDENCIES SHOULD BE PINNED TO EXACT VERSIONS

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N(3.1)
Recommendation
Remediation Comment

8.24 HAL-12 - iOS - CERTIFICATE PINNING BYPASS

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(2.9)
Recommendation
Remediation Comment

8.25 HAL-13 - ANDROID - CERTIFICATE PINNING BYPASS

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(2.9)
Recommendation
Remediation Comment

8.26 HAL-35 - IOS - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMS

//

Low

Description
Score
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(2.9)
Recommendation
Remediation Comment

8.27 HAL-34 - ANDROID - LACK OF ANTI-TAMPERING AND ANTI-HOOKING MECHANISMS

//

Low

Description
Score
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N(2.9)
Recommendation
Remediation Comment

8.28 HAL-28 - BE - VERBOSE LOGGING IN EXTENSION

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N(2.6)
Recommendation
Remediation Comment

8.29 HAL-06 - BE - LACK OF PASSWORD COMPLEXITY AND PASSWORD POLICY

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N(2.5)
Recommendation
Remediation Comment

8.30 HAL-09 - iOS - PERSISTENT KEYCHAIN DATA

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N(2.5)
Recommendation
Remediation Comment

8.31 HAL-11 - iOS - BACKGROUND SCREEN CACHING

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N(2.5)
Recommendation
Remediation Comment

8.32 HAL-19 - ANDROID - BACKGROUND SCREEN CACHING

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N(2.5)
Recommendation
Remediation Comment

8.33 HAL-24 - ANDROID - TRANSACTION DATA EXPOSED IN LOGS

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N(2.5)
Recommendation
Remediation Comment

8.34 HAL-21 - iOS - APPLICATION ALLOWS SCREENSHOTS

//

Low

Description
Score
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N(1.9)
Recommendation
Remediation Comment

8.35 HAL-20 - ANDROID - APPLICATION ALLOWS SCREENSHOTS

//

Low

Description
Proof of Concept
Score
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N(1.9)
Recommendation
Remediation Comment

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

InFlux - SSP Wallet, Relay and Key - WebApp Pentest

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed