← Back to the engagement portal  · Xari · Lodestar LNK9
Confidential — Lodestar engagement material · authorized recipients only
Xari, LLC · Cyber-Physical Systems Security

LodeStar Companion App — Security Audit Snapshot

Lodestar v2.0.15 · com.xari.lodestar · Android (APK) · Surface §6 (OWASP MASVS) · 2026-06-12
65
RISK SCORE / 100
MODERATE
1 High 2 Medium 3 Low 1 Info

Why the app is in scope

The companion app is not a peripheral — it is the sole privileged-command path to the LNK9. Enroll, PIN reset, unlock, lock and owner add/remove all leave the phone as an authenticated BLE command. In a Cyber-Physical System whose successful authentication mechanically releases the trigger sear, compromise of the app is compromise of the gun. That is why §6 is audited with the same rigor as the radio link itself.

How this snapshot was produced

Local · zero-trust · read-only

No third-party cloud, no Docker, no upload of Lodestar's binary anywhere. The APK/IPA is analyzed entirely on the analyst's machine and only ever read — nothing is transmitted to the firearm or the network.

Flutter-aware static analysis

LodeStar is a Flutter app, so the business logic and the BLE command contract live in the AOT-compiled libapp.so, not the Java/DEX layer. The engine mines that native binary directly — where a naïve scanner sees nothing.

What we found

SeverityMASVSTestFinding
HighMASVS-CODEMOB-001Non-production backend endpoint shipped in release build
A development/staging API base URL is embedded in the shipped, production-signed app. Dev backends are commonly weaker (verbose errors, looser auth, test data) and widen the attack surface against the firearm's command/cloud path.
MediumMASVS-RESILIENCEMOB-001App signed with a development identity
The signing certificate names a Development/Debug identity rather than a guarded production release key — review the release signing process and key custody.
MediumMASVS-PLATFORMMOB-0041 app-owned exported component(s)
Exported components are reachable by other apps on the device. Confirm each validates its caller and cannot be coerced into a privileged action.
LowMASVS-NETWORKMOB-001No Network Security Config
No explicit network_security_config.xml. Cleartext is off by default for targetSdk≥28, but an explicit config (+ cert pinning) is recommended for a safety-critical app.
LowMASVS-CODEMOB-001Firebase API key embedded
A Firebase/Google API key is shipped in the app. This is normal for Firebase but MUST be locked down with API key restrictions + Firebase Security Rules, or it enables abuse of the project's backend.
LowMASVS-CODEMOB-001Sentry DSN embedded
A Sentry DSN is embedded (expected for crash reporting); confirm it is ingestion-only and rate-limited so it cannot be abused.
InfoMASVS-CODEBLE-003Proprietary BLE GATT contract recovered (15 UUIDs)
The app's custom BLE service/characteristic UUIDs were recovered from the binary. These are the LNK9 command channel — classify which characteristic commands the sear and gate it under the safety interlock when probing (BLE-003).

The crown jewel — the BLE command contract, recovered from the app

From the shipped app alone — no firmware, no chip extraction — we recovered the LNK9's proprietary GATT contract: 15 custom service/characteristic UUIDs. Somewhere in this set is the handle whose write the firmware reads as the unlock/owner command. This is the map of the gun's command channel, and it is the starting point for the live BLE testing (BLE-003).

◈ 36b438e5-9e6e-4266-b841-275af903c106
◈ 36b438e5-9e6e-4266-b841-675af903c106
◈ 16b438e5-9e6e-4266-b841-175af903c106
◈ 26b438e5-9e6e-4266-b841-175af903c106
◈ 16b438e5-9e6e-4266-b840-075af903c106
◈ 16b438e5-9e6e-4266-b841-275af903c106
◈ 26b438e5-9e6e-4266-b841-275af903c106
◈ 16b438e5-9e6e-4266-b841-375af903c106
◈ 36b438e5-9e6e-4266-b840-075af903c106
◈ 26b438e5-9e6e-4266-b840-075af903c106
◈ 16b438e5-9e6e-4266-b841-075af903c106
◈ 26b438e5-9e6e-4266-b841-075af903c106
◈ 36b438e5-9e6e-4266-b841-175af903c106
◈ 36b438e5-9e6e-4266-b841-575af903c106
◈ 36b438e5-9e6e-4266-b841-075af903c106

The console

Every figure below is a live screen of the audit console running against the real build — the same tool, keyboard-driven, that produced the findings above. Tabs: Overview Findings Surface Network BLE.

LodeStar App Audit · Xari, LLC LodeStar App Audit — ENG-LODESTAR-LNK9 · §6 MASVS19:44:48  Lodestar 2.0.15  ·  com.xari.lodestar  ·  score 65/100 MODERATE OverviewFindingsSurfaceNetworkBLEHelp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Application   Name                     Lodestar   Package/Bundle           com.xari.lodestar   Version                  2.0.15 (27)   Platform                 Android (APK)   SDK / min OS             29 → 35   SHA-256                  b39acd2dbaee8cd9bbd5f4d0c62171e7… Risk score(advisory — weighted by finding severity) █████████████░░░░░░░65/100  MODERATE 0 critical1 high2 medium3 low1 info Signing identity   subject                  Common Name: Xari, Organizational Unit: Development, Organization: Xar   sha256                   85 18 93 1B 78 46 F4 EE E9 AF 69 44 E5 2D 55 B4 AC 52 0F 9F 9C F9 68 E   not_before               2025-12-01 20:47:15+00:00   not_after                2053-04-18 20:47:15+00:00 Manifest / transport flags   debuggable               unset (default)   allowBackup              false   usesCleartextTraffic     unset (default)   networkSecurityConfig    unset  Analysis log ─────────────────────────────────────────────────────────────────────────────────────────────────────────── · mapping exported components (attack surface) · reading signing certificate… · extracting Firebase / google-services config… · mining Dart AOT strings from lib/arm64-v8a/libapp.so…▅▅ · evaluating MASVS findings… · done · 7 findings · risk score 65/100 ✓ analysis complete · 7 findings (1 high/2 med/3 low) · score 65/100 ★ recovered 15 proprietary BLE UUIDs — the LNK9 command contract (see BLE tab) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  App Audit · score 65/100 │ Tab/1-6 tabs │ 'e' export evidence │ 'q' quit 
Overview — Identity, signing certificate, manifest/transport flags and an objective risk score.
LodeStar App Audit · Xari, LLC LodeStar App Audit — ENG-LODESTAR-LNK9 · §6 MASVS19:44:48  Lodestar 2.0.15  ·  com.xari.lodestar  ·  score 65/100 MODERATE OverviewFindingsSurfaceNetworkBLEHelp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7 findings(highest severity first) ● High    Non-production backend endpoint shipped in release build MASVS-CODE · MOB-001     A development/staging API base URL is embedded in the shipped, production-signed app. Dev backends are commonly weaker (verbose errors, looser auth, test data) and widen the attack surface against the firearm's command/cloud path. evidence: https://lodestarbackendwebapi20241104160008-dev.azurewebsites.net/api; https://lodestarbackendwebapi20241104160008-dev.azurewebsites.net/api/support/upload-logs; https://pub.dev/ ▲ Medium  App signed with a development identity MASVS-RESILIENCE · MOB-001     The signing certificate names a Development/Debug identity rather than a guarded production release key — review the release signing process and key custody. evidence: Common Name: Xari, Organizational Unit: Development, Organization: Xari, Locality: Quito,▅▅ State/Province: Pichincha, Cou ▲ Medium  1 app-owned exported component(s) MASVS-PLATFORM · MOB-004     Exported components are reachable by other apps on the device. Confirm each validates its caller and cannot be coerced into a privileged action. evidence: activity:MainActivity ■ Low     No Network Security Config MASVS-NETWORK · MOB-001     No explicit network_security_config.xml. Cleartext is off by default for targetSdk≥28, but an explicit config (+ cert pinning) is recommended for a safety-critical app.  Analysis log ─────────────────────────────────────────────────────────────────────────────────────────────────────────── · mapping exported components (attack surface) · reading signing certificate… · extracting Firebase / google-services config… · mining Dart AOT strings from lib/arm64-v8a/libapp.so…▅▅ · evaluating MASVS findings… · done · 7 findings · risk score 65/100 ✓ analysis complete · 7 findings (1 high/2 med/3 low) · score 65/100 ★ recovered 15 proprietary BLE UUIDs — the LNK9 command contract (see BLE tab) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  App Audit · score 65/100 │ Tab/1-6 tabs │ 'e' export evidence │ 'q' quit 
Findings — Every finding mapped to OWASP MASVS and the engagement test IDs, ranked by severity.
LodeStar App Audit · Xari, LLC LodeStar App Audit — ENG-LODESTAR-LNK9 · §6 MASVS19:44:49  Lodestar 2.0.15  ·  com.xari.lodestar  ·  score 65/100 MODERATE OverviewFindingsSurfaceNetworkBLEHelp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Backend URLs(recovered from the binary) https://f08db72692cd5ff40a502c8c3cf640fd@o4510222281736192.ingest.us.sentry.io/4510222282784768 https://github.com/flutter/flutter.git https://github.com/getsentry/sentry-dart/issues https://lodestarbackendwebapi20241104160008-dev.azurewebsites.net/api(non-prod) https://lodestarbackendwebapi20241104160008-dev.azurewebsites.net/api/support/upload-logs(non-prod) https://lodestartech.com/faq.html https://lodestartech.com/terms-and-conditions.html https://play.google.com/store/apps/details?id=com.xari.lodestar https://pub.dev/ Hosts / domains   api.flutter.dev  ·  com.sec.android.app  ·  dart.io  ·  dexterous.com  ·  flutter.baseflow.com  ·  flutter.dev  · flutter.io  ·  github.com  ·  google.com  ·  lodestar-dacdd.firebasestorage.app  · lodestarbackendwebapi20241104160008-dev.azurewebsites.net  ·  lodestartech.com  · o4510222281736192.ingest.us.sentry.io  ·  play.google.com  ·  plugins.flutter.dev  ·  plugins.flutter.io  ·  pub.dev ·  talsec.app Firebase / cloud config   google_api_key         AIzaSyBEmjeHWXn42yXnFIfTp11VkDwuRuNr5-0   google_app_id          1:159231774849:android:f1fd5b2e48b815e2013d80   gcm_defaultSenderId    159231774849▇▇   default_web_client_id  159231774849-fk1uqn3rs3jg2v2uholeiukk938po0vt.apps.googleusercontent.com   project_id             lodestar-dacdd Embedded secrets(redacted)  Analysis log ─────────────────────────────────────────────────────────────────────────────────────────────────────────── · mapping exported components (attack surface) · reading signing certificate… · extracting Firebase / google-services config… · mining Dart AOT strings from lib/arm64-v8a/libapp.so…▅▅ · evaluating MASVS findings… · done · 7 findings · risk score 65/100 ✓ analysis complete · 7 findings (1 high/2 med/3 low) · score 65/100 ★ recovered 15 proprietary BLE UUIDs — the LNK9 command contract (see BLE tab) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  App Audit · score 65/100 │ Tab/1-6 tabs │ 'e' export evidence │ 'q' quit 
Network & secrets — Backend URLs (non-production flagged), Firebase project, embedded secrets — redacted.
LodeStar App Audit · Xari, LLC LodeStar App Audit — ENG-LODESTAR-LNK9 · §6 MASVS19:44:49  Lodestar 2.0.15  ·  com.xari.lodestar  ·  score 65/100 MODERATE OverviewFindingsSurfaceNetworkBLEHelp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Exported components(reachable by other apps — the on-device surface) activity (3 exported) com.xari.lodestar.MainActivityexported, intent-filter com.google.firebase.auth.internal.GenericIdpActivityexported, intent-filter com.google.firebase.auth.internal.RecaptchaActivityexported, intent-filter service (1 exported) com.google.android.gms.auth.api.signin.RevocationBoundServiceexported receiver (3 exported) io.flutter.plugins.firebase.messaging.FlutterFirebaseMessagingReceiverexported, intent-filter com.google.firebase.iid.FirebaseInstanceIdReceiverexported, intent-filter▅▅ androidx.profileinstaller.ProfileInstallReceiverexported, intent-filter ◆ = app-owned (not a framework component) — the rows to scrutinise. Permissions (35 declared · 14 elevated) ACCESS_ADSERVICES_AD_ID ACCESS_ADSERVICES_ATTRIBUTION ⚑ ACCESS_COARSE_LOCATIONandroid.permission.ACCESS_COARSE_LOCATION ⚑ ACCESS_FINE_LOCATIONandroid.permission.ACCESS_FINE_LOCATION ⚑ ACCESS_MEDIA_LOCATIONandroid.permission.ACCESS_MEDIA_LOCATION ACCESS_NETWORK_STATE ACCESS_WIFI_STATE ⚑ BLUETOOTHandroid.permission.BLUETOOTH  Analysis log ─────────────────────────────────────────────────────────────────────────────────────────────────────────── · mapping exported components (attack surface) · reading signing certificate… · extracting Firebase / google-services config… · mining Dart AOT strings from lib/arm64-v8a/libapp.so…▅▅ · evaluating MASVS findings… · done · 7 findings · risk score 65/100 ✓ analysis complete · 7 findings (1 high/2 med/3 low) · score 65/100 ★ recovered 15 proprietary BLE UUIDs — the LNK9 command contract (see BLE tab) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  App Audit · score 65/100 │ Tab/1-6 tabs │ 'e' export evidence │ 'q' quit 
Attack surface — Exported components reachable by other apps, plus the declared permission set.
LodeStar App Audit · Xari, LLC LodeStar App Audit — ENG-LODESTAR-LNK9 · §6 MASVS19:44:50  Lodestar 2.0.15  ·  com.xari.lodestar  ·  score 65/100 MODERATE OverviewFindingsSurfaceNetworkBLEHelp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Proprietary BLE GATT contract(the LNK9 command channel) These custom service/characteristic UUIDs were recovered from the app binary. They are the exact handles the app uses to talk to the gun — including, somewhere in this set, the one whose write the firmware reads as the unlock/owner command. ◈ 36b438e5-9e6e-4266-b841-275af903c106 ◈ 36b438e5-9e6e-4266-b841-675af903c106 ◈ 16b438e5-9e6e-4266-b841-175af903c106 ◈ 26b438e5-9e6e-4266-b841-175af903c106 ◈ 16b438e5-9e6e-4266-b840-075af903c106 ◈ 16b438e5-9e6e-4266-b841-275af903c106 ◈ 26b438e5-9e6e-4266-b841-275af903c106 ◈ 16b438e5-9e6e-4266-b841-375af903c106 ◈ 36b438e5-9e6e-4266-b840-075af903c106 ◈ 26b438e5-9e6e-4266-b840-075af903c106 ◈ 16b438e5-9e6e-4266-b841-075af903c106 ◈ 26b438e5-9e6e-4266-b841-075af903c106 ◈ 36b438e5-9e6e-4266-b841-175af903c106 ◈ 36b438e5-9e6e-4266-b841-575af903c106 ◈ 36b438e5-9e6e-4266-b841-075af903c106 Next step   · Pin these in targets.local.yaml → privileged_chars (UUID → what it commands).▅▅   · Cross-check against the live GATT enumeration ('e' in the air monitor, BLE-003).   · Any write probe to the command characteristic is gated by the safety interlock.  Analysis log ─────────────────────────────────────────────────────────────────────────────────────────────────────────── · mapping exported components (attack surface) · reading signing certificate… · extracting Firebase / google-services config… · mining Dart AOT strings from lib/arm64-v8a/libapp.so…▅▅ · evaluating MASVS findings… · done · 7 findings · risk score 65/100 ✓ analysis complete · 7 findings (1 high/2 med/3 low) · score 65/100 ★ recovered 15 proprietary BLE UUIDs — the LNK9 command contract (see BLE tab) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  App Audit · score 65/100 │ Tab/1-6 tabs │ 'e' export evidence │ 'q' quit 
BLE command contract — The proprietary GATT service/characteristic UUIDs recovered straight from the app binary.