Prepared by:
HALBORN
Last Updated 04/21/2025
Date of Engagement: March 17th, 2025 - April 4th, 2025
100% of all REPORTED Findings have been addressed
All findings
16
Critical
0
High
0
Medium
2
Low
12
Informational
2
SOL Strategies engaged Halborn to conduct a security assessment of their Android / iOS wallet mobile applications. The security assessment was scoped to Sol Strategies provided mobile applications. The client team provided both mobile apps and the respective files to conduct security testing using tools to scan, detect, validate possible vulnerabilities found and report the findings at the end of the engagement.
The team at Halborn was provided 3 weeks for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile Android and iOS, recon, discovery & infrastructure penetration testing.
The goals of our security assessments are to improve the quality of the systems we review and to target sufficient remediation to help protect users.
In summary, Halborn identified multiple issues, including the possibility of performing a fingerprint authentication bypass, allowing potential attackers to bypass biometric authentication, compromising account security. The Android app is vulnerable to tapjacking attacks, where malicious overlays could trick users into performing unintended actions. Additionally, the Orangefin backend is missing some important security headers.
Both iOS and Android apps have WebViews that can load unrestricted origins, exposing the apps to potential malicious content. Additionally, there are various bypass mechanisms such as the lack of certificate pinning (Android app) and root / jailbreak detection bypass, alongside the lack of anti-hooking and anti-debugging protections on both iOS and Android apps. This leaves the apps vulnerable to reverse engineering and tampering. Additionally, the apps present incorrect security configurations, such as the possibility of performing app backups in Android or a weak ATS configuration in the iOS app. Fingerprint-related vulnerabilities found on Android app (fingerprint authentication bypass and lack of re-authentication when new fingerprint added) could not be reproduced in the iOS app due to limitations of the testing device, however, they are likely to be also present in the iOS app.
Addressing all these vulnerabilities is nevertheless recommended to enhance the overall security and integrity of both applications.
The security assessment was scoped to:
Orangefin - 1.0.0 - Android
Orangefin - 1.0.0 - iOS
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it.
The following phases and associated tools were used throughout the term of the assessment:
Storing private keys and assets securely
Application logic flaws
Areas where insufficient validation allows for hostile input
Application of cryptography to protect secrets
Brute-force attempts
Input handling
Fuzzing of input parameters
Technology stack-specific vulnerabilities and code assessment
Known vulnerabilities in 3rd party/OSS dependencies.
Mapping Content and Functionality of API
Application Logic Flaw
Access Handling
Authentication/Authorization Flaw
Response Manipulation
Hardcoded credentials or API keys
Sensitive data leakage
Ensure sensitive data secure storage
Secure communications for network communication
Critical
0
High
0
Medium
2
Low
12
Informational
2
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| ANDROID - TAPJACKING | Medium | Solved - 04/11/2025 |
| BACKEND - MISSING IMPORTANT SECURITY HEADERS | Medium | Solved - 04/11/2025 |
| ANDROID - LACK OF ANTI-HOOK ANTI-DEBUG MECHANISMS | Low | Partially Solved - 04/16/2025 |
| ANDROID - WEBVIEWS CAN LOAD UNRESTRICTED ORIGINS | Low | Future Release - 04/16/2025 |
| IOS - LACK OF JAILBREAK DETECTION MECHANISM | Low | Future Release - 04/16/2025 |
| IOS - LACK OF ANTI-HOOK ANTI-DEBUG MECHANISMS | Low | Future Release |
| IOS - SENSITIVE DATA LOGGED IN CACHE | Low | Future Release - 04/16/2025 |
| IOS - WEBVIEWS CAN LOAD UNRESTRICTED ORIGINS | Low | Future Release - 04/16/2025 |
| ANDROID - FINGERPRINT AUTHENTICATION BYPASS | Low | Partially Solved - 04/16/2025 |
| ANDROID - LACK OF RE-AUTHENTICATION WHEN NEW FINGERPRINT ADDED | Low | Future Release - 04/16/2025 |
| BACKEND - ENDPOINT PUBLICLY AVAILABLE | Low | Solved - 03/26/2025 |
| IOS - ATS WEAK CONFIGURATION | Low | Solved - 04/11/2025 |
| ANDROID - LACK OF CERTIFICATE PINNING | Low | Future Release - 04/16/2025 |
| ANDROID - APPLICATION ALLOWS DATA BACKUP | Low | Solved - 04/11/2025 |
| ANDROID - LACK OF ROOT DETECTION MECHANISM | Informational | Partially Solved - 04/11/2025 |
| IOS - CERTIFICATE PINNING BYPASS | Informational | Future Release - 04/16/2025 |
//Medium
//Medium
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Mobile App iOS & Android Blackbox
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
