Advisories

Vulnerability in Two App Studio Journey (CVE-2025-41459)

Journey is a journaling app for iOS that stores personal entries and media.

Insecure authentication due to missing brute-force protection and runtime manipulation in Two App Studio Journey v5.5.9 for iOS

Insufficient authentication enforcement in local authentication component in Two App Studio Journey v5.5.9 on iOS allows local attackers to bypass biometric and PIN-based protection via repeated PIN attempts and runtime manipulation.

The application implements local 4-digit PIN and biometric authentication, but these mechanisms can be bypassed using brute-force and runtime manipulation techniques. As a result, sensitive data within the app may be accessed without valid user authentication.

We generally recommend enforcing retry limits, binding authentication to the iOS keychain, and storing all sensitive credentials within the Secure Enclave.

This vulnerability exposes private content and key material to local attackers with access to the device’s file system.

The issue remains unresolved at the time of writing, despite the releases of newer versions of the app since the responsible disclosure.

The vulnerability was not acknowledged or fixed by Two App Studio within 120 days. For this reason, we are releasing information to the public to allow affected users to protect themselves.

This security advisory covers vulnerabilities identified exclusively in the iOS version of the application. Other platforms such as Android or Windows were not tested.

CVSS Score
7.8 (CVSS v3.1)

CVSS Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Version
v 5.5.6 – v5.5.9 (latest at the time of release)

Credits
Hannes Allmann (cirosec GmbH)

Timeline

2025-03-12

Vendor was contacted and informed about the vulnerability via email. No response.

2025-03-25

Second attempt was made to contact vendor via email. No response.

2025-06-25

Third attempt was made to contact vendor via email. No response.

Do you want to protect your systems? Feel free to get in touch with us.

Advisories

Vulnerability in Two App Studio Journey (CVE-2025-41458)

Journey is a journaling app for iOS that stores personal entries and media.

CVE-2025-41458: Insecure data storage vulnerability in Two App Studio Journey v5.5.9 for iOS

Unencrypted storage in the database in Two App Studio Journey v5.5.9 for iOS allows local attackers to extract sensitive data via direct access to the app’s file system.

During an analysis of the iOS app, it was discovered that sensitive user data, including diary entries, authentication tokens, and cryptographic material, is stored unencrypted in both the app’s main SQLite database and its Write-Ahead Log (WAL) file. The WAL is a temporary SQLite file that records database changes before they are committed, often retaining sensitive data even after deletion. This exposes private content and key material to local attackers with access to the device’s file system.

We generally recommend encrypting local data using SQLCipher, storing keys securely in the iOS keychain with Secure Enclave protection, and disabling or regularly cleaning up WAL files to prevent recovery of deleted data.

The issue remains unresolved at the time of writing, despite the releases of newer versions of the app since the responsible disclosure. The vulnerability was not acknowledged or fixed by Two App Studio within 120 days. For this reason, we are releasing this information to the public to allow affected users to protect themselves.