Bug #22302

[External Audit Findings][iOS] Certificate files hardcoded inside the app

Added by yap chekying 21 days ago. Updated 11 days ago.

Status:Pending PRODStart date:29 July 2025
Priority:NormalDue date:
Assignee:yap chekying% Done:

100%

Category:-Spent time:-
Target version:-

Description

Issue:
Same as Android – developers embed a list of trusted certificates inside the app and use it to validate server certificates. If not properly implemented, this can leave the app vulnerable to man-in-the-middle attacks.

Recommendation from pentester:
Developers are advised to add obfuscation to make decompilation difficult and to use public keys as variables, making it difficult for attackers to reverse engineer.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:07 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 11:06 AM

History

#1 Updated by He Xi Yeo 21 days ago

  • Status changed from New to Assigned
  • Assignee changed from He Xi Yeo to yap chekying
  • % Done changed from 0 to 100

The certificate is now encrypted and obfuscated before being included in app.

#2 Updated by yap chekying 13 days ago

#3 Updated by yap chekying 13 days ago

  • Priority changed from Immediate to Normal

#4 Updated by yap chekying 11 days ago

  • Status changed from Pending UAT to Pending PROD

Also available in: Atom PDF