Insecure authentication due to missing brute-force protection and runtime manipulation in Two App Studio Journey v5.5.9 for iOS
Insufficient authentication enforcement in local authentication component in Two App Studio Journey v5.5.9 on iOS allows local attackers to bypass biometric and PIN-based protection via repeated PIN attempts and runtime manipulation.
The application implements local 4-digit PIN and biometric authentication, but these mechanisms can be bypassed using brute-force and runtime manipulation techniques. As a result, sensitive data within the app may be accessed without valid user authentication.
We generally recommend enforcing retry limits, binding authentication to the iOS keychain, and storing all sensitive credentials within the Secure Enclave.
This vulnerability exposes private content and key material to local attackers with access to the device’s file system.
The issue remains unresolved at the time of writing, despite the releases of newer versions of the app since the responsible disclosure.
The vulnerability was not acknowledged or fixed by Two App Studio within 120 days. For this reason, we are releasing information to the public to allow affected users to protect themselves.
This security advisory covers vulnerabilities identified exclusively in the iOS version of the application. Other platforms such as Android or Windows were not tested.
CVSS Score
7.8 (CVSS v3.1)
CVSS Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Version
v 5.5.6 – v5.5.9 (latest at the time of release)
Credits
Hannes Allmann (cirosec GmbH)