Security audit of The Phoenix

A deep-dive iOS security assessment that hardened The Phoenix’s active-sober lifestyle app against real-world threats—because a safe recovery community starts with safe code.

As of October 2023 the audit has been completed, all critical and high-priority findings remediated, and the app re-launched in the App Store with a clean OWASP MASVS scorecard.

Overview

The Phoenix App connects people in recovery with supportive peers and sober activities. During a 6-week engagement I:

• Reviewed Swift / Combine code base against OWASP MASVS & CWE baselines

• Performed static, dynamic & runtime analysis with cutting-edge tooling (Frida, Objection, Grapefruit, IDA Hopper Disassembler)

• Executed penetration tests on auth, API, storage, and Bluetooth modules

• Verified privacy compliance (PII minimisation, GDPR, HIPAA alignment)

• Delivered a comprehensive report, threat model, and remediation roadmap

Features (Audit Scope)

Threat Modeling & Design Review

• Data-flow mapping, STRIDE analysis, abuse-case workshop

• Validation of encryption, key-chain usage, and Secure Enclave binding

Code & Dependency Review

• Manual swift-lint walkthroughs

• CVE triage

Static & Dynamic Testing

• Class-dump, LLDB, and runtime hook tests for jailbreak / tamper resistance

• TLS pinning, ATS policy, and certificate revocation checks

API & Backend Validation

• OWASP API Top 10 penetration tests

• Token life-cycle, refresh-flow, and device binding verification

Compliance & Best-Practice Hardening

• MASVS-L2 checklist pass (storage, crypto, network, auth, platform)

• Added Secure Coding Guidelines to engineering playbook and CI gates