Magma

Findings · 27

1. 1 Mnemonic is copied to clipboard High
2. 2 Mnemonic stays in memory for too long Medium
3. 3 Keychain security level is not the strongest available Medium
4. 4 Keychain operations are not checked for errors Low
5. 5 Recovery phrase is displayed without a timeout Low
6. 6 PIN code is sometimes not requested Low
7. 7 Wallet can be imported from more than 12 words Medium
8. 8 Too much code mocked Informational
9. 9 Sometimes all exception types are handled Informational
10. 10 encryptWithSalt uses weaker hashing on exception Low
11. 11 generateMnemonic function delays error handling Informational
12. 12 Wallet structure permits inconsistent state Informational
13. 13 Server lacks OCSP stapling Medium
14. 14 Sensitive information exposed to 3rd Party SDK (Sentry) Medium
15. 15 Multiple servers support weak TLS protocols and ciphers Low
16. 16 Servers do not restrict access over HTTP Low
17. 17 Application data remains exposed after first unlock Medium
18. 18 Disable third-party keyboards Medium
19. 19 TLS certificates are not pinned for multiple domains Medium
20. 20 Sensitive data is archived in iCloud and iTunes backups Medium
21. 21 iOS pasteboard data does not have an expiration date Low
22. 22 App does not restrict the use of unencrypted HTTP Medium
23. 23 Enable verification of Android Security Provider Medium
24. 24 Enable Android Verify Apps Low
25. 25 App Views are Vulnerable to TapJacking Low
26. 26 Enable SafetyNet Attestation API Low
27. 27 App susceptible to App Links hijacking Low

Findings extracted from the published report PDF. See the full report below for details and remediation.