Bug #22302: [External Audit Findings][iOS] Certificate files hardcoded inside the app - VELO Production Issue - S-MADP Customer Support & Information Center

Bug #22302

[External Audit Findings][iOS] Certificate files hardcoded inside the app

Added by yap chekying about 13 hours ago. Updated about 13 hours ago.

Status:

Assigned

Start date:

29 July 2025

Priority:

Immediate

Due date:

Assignee:

yap chekying

% Done:

100%

Category:

Spent time:

Target version:

Description

Issue:
Same as Android – developers embed a list of trusted certificates inside the app and use it to validate server certificates. If not properly implemented, this can leave the app vulnerable to man-in-the-middle attacks.

Recommendation from pentester:
Developers are advised to add obfuscation to make decompilation difficult and to use public keys as variables, making it difficult for attackers to reverse engineer.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:07 AM

History

#1 Updated by He Xi Yeo about 13 hours ago

Status changed from New to Assigned
Assignee changed from He Xi Yeo to yap chekying
% Done changed from 0 to 100

The certificate is now encrypted and obfuscated before being included in app.

Also available in: Atom PDF

OCBC NISP Velocity Mobile » VELO Production Issue

Issues

Custom queries

Bug #22302

[External Audit Findings][iOS] Certificate files hardcoded inside the app

History

#1 Updated by He Xi Yeo about 13 hours ago