Transcription
Penetration Testing Report0
Document PropertiesTitleBlack Box Penetration Testing ReportVersionV 1.0AuthorxuPen-testersxu, kong, yudan, rebornReviewed ByblueClassificationPublicVersion controlVersionDateAuthorDescriptionV 1.005.22, 2021xuFinal DraftTable of Contents1
Document Properties. 1Version control. 11.Basic information. 31.1 Scope of work.31.2 Tester and Timeline. 31.3 Test content. 41.4 Other explanatory information. 42.Test summary. 62.1 Summary of Findings. 62.2 Total Risks. 63.Test Results. 73.1 General Security Test. 73.2 Private Key/Mnemonic Phrase Security Test. 73.3 Risk control Security Test. 83.4 Other Security Test. 8Disclaimer. 9Reference. 102
1.Basic informationThe SlowMist security team conducted the penetration testing on the TronLink AndroidApp project under the authorization of TronLink team. This report is written based on thetest process and results, to help TronLink team understand the safety of the targetbusiness system, and guide TronLink team to fix and rectify.1.1 Scope of workThis security assessment covers the penetration testing of TronLink Android App, Theassessment was carried out from a black box perspective, with the only suppliedinformation being the tested Android App. No other information was assumed at the startof the assessment.Download link:https://tronlink.orgVersion: v4.0.3MD5: 1a428ff46d9b370c7ccfe2ab5ac008f7Fixed Version: v4.3.0MD5: a8f9ea8e9ba8dfa1bbe3ac123b5dd0ad1.2 Tester and TimelineThis penetration testing is carried out within the timeline agreed in advance as follows:TimelineStart Date/Time04.21,2021End Date/Time309.06,2021
The participants of this penetration testing are shown as follows:List of TestersOrganizationSlowMistSecurity TeamSlowMistSecurity TeamSlowMistSecurity TeamSlowMistSecurity TeamRoleNameContactSecurity Engineerxumx@slowmist.comSecurity Engineerkongkong@slowmist.comSecurity Engineeryudanyudan@slowmist.comSecurity .comSlowMistSecurity Team1.3 Test contentThe content of this test is the TronLink Android App security test of SlowMist, which iscarried out in accordance with the OWASP security test guide, with reference to the CVSSvulnerability rating standard. The SlowMist security team adopts the strategy of "mainlyblack box, supplemented by grey box" to conduct a complete security test of the project inthe way that is closest to the real attack.1.4 Other explanatory informationApplication security test method of SlowMist:Black boxConduct security tests externally from the attacker's perspective.4
testingThrough communication with the person in charge of the project,Grey boxtestinginvestigate the internal security construction of the project, conductthe security assessment and the security test according to theinvestigation results, observe the internal operation status, and miningweaknesses.White iningvulnerability(ies) in nodes, SDK, sites and other programs.Application security risk level of SlowMist standard:The critical vulnerability can have a significant impact on the ,anditisstronglyrecommended to fix the critical vulnerability(ies).The high-risk vulnerability will affect the normal operation of theHighbusiness system. It is strongly recommended to fix the high-riskvulnerability.MediumMedium vulnerability will affect the operation of the business system. Itis suggested to fix the medium vulnerability.Low-risk vulnerabilities may affect the operation of the businessLowsystem in certain scenarios. It is recommended that the project partyevaluate and consider whether these issues need to be fixed.Theoretically there are security risks, but it is very difficult toWeaknessreproduce in engineering, the system will be more robust after addingsecurity policy.EnhancementsuggestionThere will be no problems at present, but as the system develops, itmay become a vulnerability in the future.5
2.Test summary2.1 Summary of FindingsLevelNumber of nhancement suggestion542.2 Total Risks2.3 Summary conclusionThe SlowMist security team used manual and analytical tools to audit the TronLinkproject. During the audit, we found 2 low risks and 5 suggestions. And 2 low risks and 4suggestions were confirmed and fixed, 1 suggestion was ignored. There are no criticaland high-risk issues found.6
3.Test Results3.1 General Security TestNO.12CheckDoes application attempt to detectjailbreak ?Are there any SSL pinning forTLS connections ?3Is there a screen recording orscreenshot check ?4Is there a clipboard check ?5Is there obfuscation when the apphangs ?Response Jailbreak trace checks are performed atevery application initialization.If jailbreak is detected a warning message isdisplayed. No SSL pinning implemented. There are obvious risk warnings. There is an obvious risk warning broadcast.The private key resides in memory for a longtime. The page still stays on the private keyinterface when switching to the wallet App.Obfuscation when the background hangs. ThreatOKPassed EnhancementsuggestionFixedPassed EnhancementsuggestionFixedLowFixed3.2 Private Key/Mnemonic Phrase Security TestNO.CheckResponseThreatOK1How can user fetch private keys ? Can only be done by using “export keys”feature via application user interface.Passed 2How is the Private key/MnemonicPhrase stored ? Stored in xml file with using PBKDF forprotection.Passed How exported keys areProtected ? 3Exported keys are encrypted with userprovided password.The aes-128-ctr encryption method encryptsthe password with using KDF for protection.Passed 7
3.3 Risk control Security TestNO.CheckResponseThreatOKIs there a malicious address check ? No check for malicious addresses.Enhancementsuggestion 2Is there an anti-phishing check ? No phishing detection when accessing thirdparty DApp.EnhancementsuggestionFixed3Is there a “fake token” check ? No obvious “fake token” 3.4 Other Security TestNO.CheckResponse 1Is there a DApp interactive securityreminder ? The wallet address can be obtained sswithout operation confirmation.Signature and transaction operations areinitiated by callingtronWeb.trx.sendRawTransaction and are notperformed in the wallet itself.8
DisclaimerXiamen SlowMist Technology Co., Ltd.( hereinafter referred to as "SlowMist") issues thisreport only based on the facts that have happened or existed before the report is issued,and will take the corresponding responsibilities for the report based on these facts.Regarding any unknown vulnerabilities or security incidents that happen or exist after theissue of this report, SlowMist cannot verify their security conditions and will not beresponsible for them. All of the security audits analysis and other contents consisted inthis report are only based on the files and documents provided to SlowMist by informationproviders(hereinafter referred to as "provided documents"). SlowMist assumes that theprovided documents are not under any of these circumstances, such as being absent,being tampered, being abridged or being concealed. If the information of the provideddocuments were absent, tampered, abridged, concealed, or did not conform to the reality,SlowMist would not be responsible for any of the loss or disadvantages caused by thesecircumstances. SlowMist only performs the appointed security audits for the securitycondition of this project and issues this report. SlowMist is not responsible for thebackground of this project or any other circumstances.9
Reference[1]”Common Vulnerability Scoring System version document[2] �细则》”: https://bc.cnvd.org.cn/notice info?num 51d78f7d7334ce3d1f7bf62b4471772d[3]”Mobile App Security Requirements and Verification”: oad/v1.3/OWASP MASVS-1.3-en.pdf[4]”Mobile Security Testing Guide e-securitytesting-guide/[5]”Web3 Secret Storage i/Web3-SecretStorage-Definition10
11
5 testing Greybox testing ect, investigatetheinternal
