Mobile App iOS & Android Blackbox - Sol Strategies

1. Summary

2. Introduction

SOL Strategies engaged Halborn to conduct a security assessment of their Android / iOS wallet mobile applications. The security assessment was scoped to Sol Strategies provided mobile applications. The client team provided both mobile apps and the respective files to conduct security testing using tools to scan, detect, validate possible vulnerabilities found and report the findings at the end of the engagement.

3. Assessment Summary

The team at Halborn was provided 3 weeks for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile Android and iOS, recon, discovery & infrastructure penetration testing.

The goals of our security assessments are to improve the quality of the systems we review and to target sufficient remediation to help protect users.

In summary, Halborn identified multiple issues, including the possibility of performing a fingerprint authentication bypass, allowing potential attackers to bypass biometric authentication, compromising account security. The Android app is vulnerable to tapjacking attacks, where malicious overlays could trick users into performing unintended actions. Additionally, the Orangefin backend is missing some important security headers.

Both iOS and Android apps have WebViews that can load unrestricted origins, exposing the apps to potential malicious content. Additionally, there are various bypass mechanisms such as the lack of certificate pinning (Android app) and root / jailbreak detection bypass, alongside the lack of anti-hooking and anti-debugging protections on both iOS and Android apps. This leaves the apps vulnerable to reverse engineering and tampering. Additionally, the apps present incorrect security configurations, such as the possibility of performing app backups in Android or a weak ATS configuration in the iOS app. Fingerprint-related vulnerabilities found on Android app (fingerprint authentication bypass and lack of re-authentication when new fingerprint added) could not be reproduced in the iOS app due to limitations of the testing device, however, they are likely to be also present in the iOS app.

Addressing all these vulnerabilities is nevertheless recommended to enhance the overall security and integrity of both applications.

Scope

The security assessment was scoped to:

• Orangefin - 1.0.0 - Android

• Orangefin - 1.0.0 - iOS

4. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it.

The following phases and associated tools were used throughout the term of the assessment:

• Storing private keys and assets securely

• Application logic flaws

• Areas where insufficient validation allows for hostile input

• Application of cryptography to protect secrets

• Brute-force attempts

• Input handling

• Fuzzing of input parameters

• Technology stack-specific vulnerabilities and code assessment

• Known vulnerabilities in 3rd party/OSS dependencies.

• Mapping Content and Functionality of API

• Application Logic Flaw

• Access Handling

• Authentication/Authorization Flaw

• Response Manipulation

• Hardcoded credentials or API keys

• Sensitive data leakage

• Ensure sensitive data secure storage

• Secure communications for network communication