Audit Reports - Summary & Comparison

Report Date: 26/11/2025
Auditor: Jonas Ockerman
Audit Type: Comprehensive Security & Code Quality Audit Comparison

Executive Summary

This document provides a comprehensive summary and comparison of security and code quality audits conducted for three Flutter mobile applications: Tinq4U, SuperTank, and Gulf. All three applications share similar technology stacks and face comparable challenges, with some unique issues per application.

Overall Assessment: All three applications have High Risk ratings, primarily due to critical security issues, complete absence of test suites, and unencrypted sensitive data storage.

Applications Overview

Application	Version	Flutter Version	Audit Date	Risk Level	Report
Tinq4U	1.6.24	3.24.5	24/11/2025	High Risk	View Report
SuperTank	1.20.0	3.24.5	25/11/2025	High Risk	View Report
Gulf	1.0.0+23	3.24.3	26/11/2025	High Risk	View Report

Issue Count Comparison

Issues by Application

Issue Count by Priority

Application	Critical	High	Medium	Low	Total
Tinq4U	2	3	5	4	14
SuperTank	2	4	5	3	14
Gulf	2	3	5	4	14

Common Critical Issues Across All Apps

All three applications share the following critical security and quality issues:

1. Sensitive Files in Repository

Status: ❌Critical - All Apps

Findings:

Tinq4U: Keystores, private keys, service account credentials stored in android-src-files/ and apple-src-files/
SuperTank: Keystore file, private keys, push certificate passwords in android-assets/ and ios-assets/
Gulf: Keystore file (gulfforyou.keystore.jks) in android-assets/

Impact: Credentials exposed in version control, potential for unauthorized access, repository bloat

Recommendation: Move all sensitive files to centralized secrets management, remove from repositories, rotate all exposed credentials

2. Complete Absence of Test Suite

Status: ❌Critical - All Apps

Findings:

All Apps: No unit tests, integration tests, or UI/widget tests
All Apps: No test directory structure
All Apps: No test execution in CI/CD pipelines
Gulf: flutter_test dependency commented out in pubspec.yaml

Impact: High risk of introducing bugs, UI regressions, and breaking changes without detection. No safety net for refactoring.

Recommendation: Implement comprehensive test suite with unit, integration, and UI tests. Add test execution to CI/CD pipelines.

3. Unencrypted Sensitive Data Storage

Status: ❌High - All Apps

Findings:

All Apps: Access tokens, refresh tokens, usernames, UIDs, and email addresses stored in plain text in SQLite database
All Apps: No encryption at rest for sensitive user data
All Apps: Database files can be extracted and read directly

Impact: Sensitive authentication data accessible on device without encryption. Risk of credential theft on compromised devices.

Recommendation: Migrate sensitive data to flutter_secure_storage. Use Android Keystore/iOS Keychain for credentials. Encrypt database file or sensitive columns using SQLCipher.

Unique Issues by Application

Tinq4U Unique Issues

Certificate validation override: Custom HTTP override accepts invalid SSL certificates for specific host
Moor database: Uses older Moor database (migrated from, but references remain)

SuperTank Unique Issues

Certificate validation can be disabled: Via Firebase Remote Config, staging always uses AllowAllOverride
Code obfuscation enabled: Unlike Gulf, SuperTank has obfuscation enabled (positive)
Build number offset: Uses PROJECT_BUILD_NUMBER + 100 calculation
Null safety issue: Internal package flutter_markedeer_mobile_content not null safety compliant, blocking upgrades

Gulf Unique Issues

Code obfuscation disabled: Code obfuscation and minification not configured (critical issue)
Same endpoint for staging/production: Both environments use https://www.gulftankstations.nl (unusual)
Local path dependency: markedeer_dynamic_form_builder uses local path instead of Git
OneSignal location sharing: Location permission requested (may share location)
No build number offset: Uses PROJECT_BUILD_NUMBER directly

Security Comparison

Security Assessment Comparison

Security Aspect	Tinq4U	SuperTank	Gulf
Sensitive Files in Repo	❌Fail	❌Fail	❌Fail
Unencrypted Data Storage	❌Fail	❌Fail	❌Fail
Network Security	❌Fail	❌Fail	⚠️Warning
Code Obfuscation	❌Fail	✅Pass	❌Fail
Authentication	⚠️Warning	⚠️Warning	⚠️Warning

Code Quality Comparison

Quality Aspect	Tinq4U	SuperTank	Gulf
Code Structure	⚠️Warning	⚠️Warning	⚠️Warning
Error Handling	⚠️Warning	⚠️Warning	⚠️Warning
State Management	⚠️Warning	⚠️Warning	⚠️Warning
Code Duplication	⚠️Warning	⚠️Warning	⚠️Warning
Best Practices	⚠️Warning	⚠️Warning	⚠️Warning

Testing & Quality Assurance

Status: ❌Fail - All Apps

All three applications have 0% test coverage with no test infrastructure in place:

No unit tests
No integration tests
No UI/widget tests
No test execution in CI/CD
No test dependencies configured (or commented out)

Recommendation: Implement comprehensive test suites for all applications as a top priority.

Dependencies Comparison

Dependency Aspect	Tinq4U	SuperTank	Gulf
Outdated Packages	❌Fail	❌Fail (39 outdated)	❌Fail
Deprecated Packages	⚠️Warning	⚠️Warning	⚠️Warning
Vulnerability Scanning	⚠️None	⚠️None	⚠️None
License Compliance	⚠️Warning	⚠️Warning	⚠️Warning

Common Issues:

All apps use Git branch dependencies (ref: stable) instead of version tags
All apps have deprecated packages requiring migration (package_info, share)
All apps lack automated vulnerability scanning
All apps have no license compliance documentation

Performance Comparison

Performance Aspect	Tinq4U	SuperTank	Gulf
Code Minification	❌Disabled	✅Enabled	❌Disabled
Resource Shrinking	❌Disabled	✅Enabled	❌Disabled
Memory Management	⚠️Warning	⚠️Warning	⚠️Warning
Network Performance	⚠️Warning	⚠️Warning	⚠️Warning
Battery Usage	✅Pass	✅Pass	⚠️Warning

Key Differences:

SuperTank is the only app with code obfuscation and minification enabled
Gulf has OneSignal location sharing enabled (battery concern)
All apps share similar memory management and network performance issues

CI/CD & Build Pipeline Comparison

CI/CD Comparison

CI/CD Aspect	Tinq4U	SuperTank	Gulf
Build Configuration	✅Pass	✅Pass	✅Pass
Code Signing Security	❌Fail	❌Fail	❌Fail
Automated Testing	❌None	❌None	❌None
Deployment Process	⚠️Warning	⚠️Warning	⚠️Warning

Common Issues:

All apps use GitFlow branching strategy (suboptimal)
All apps use separate tag-based deployment for staging/production
All apps have no automated testing in CI/CD
All apps have sensitive files in repository despite CI/CD secrets management

Documentation Comparison

Documentation Aspect	Tinq4U	SuperTank	Gulf
README Completeness	❌Template	❌Template	❌Template
API Documentation	❌None	❌None	❌None
Code Documentation	❌Minimal	❌Minimal	❌Minimal

Common Issues:

All apps have template README files (not customized)
All apps mention "Moor" database but use "Drift" (outdated)
All apps lack API documentation
All apps have minimal code comments

User Experience Comparison

UX Aspect	Tinq4U	SuperTank	Gulf
Localization	⚠️Dutch Only	⚠️Dutch Only	⚠️Dutch Only
Error Handling	⚠️Inconsistent	⚠️Inconsistent	⚠️Inconsistent

Common Issues:

All apps support only Dutch locale
All apps have hardcoded Dutch strings
All apps lack centralized error handling
All apps have inconsistent error handling patterns

Overall Recommendations

Immediate Actions (All Apps)

Remove sensitive files from repositories
- Move all keystores, private keys, and credentials to secure storage
- Rotate all exposed credentials
- Add sensitive directories to .gitignore
Implement comprehensive test suites
- Create test directory structure
- Add unit, integration, and UI tests
- Add test execution to CI/CD pipelines
- Target 70% code coverage
Migrate sensitive data to secure storage
- Move tokens and credentials from plain text database to flutter_secure_storage
- Use Android Keystore/iOS Keychain
Enable code obfuscation (Tinq4U & Gulf)
- Enable minifyEnabled and shrinkResources in Android release builds
- Use Flutter's --obfuscate flag
Fix certificate validation (Tinq4U & SuperTank)
- Remove certificate validation override functionality
- Implement proper certificate pinning
- Remove remote config flags that control certificate validation

Short-term Actions

Update outdated dependencies
- Migrate deprecated packages (package_info → package_info_plus)
- Plan major version upgrades for Firebase packages
- Address discontinued packages
Improve documentation
- Update README files (remove template content)
- Fix outdated information (Moor → Drift)
- Create API documentation
- Add code comments to public APIs
Standardize error handling
- Create centralized error handling helpers
- Internationalize error messages
- Ensure consistent patterns across all routes
Migrate from GitFlow to trunk-based development
- Simplify branching strategy
- Implement single tag approach for deployments
- Use feature flags instead of separate entry points

Summary Statistics

Total Issues Across All Apps:

Critical: 6 issues (2 per app)
High: 10 issues (3-4 per app)
Medium: 15 issues (5 per app)
Low: 11 issues (3-4 per app)
Total: 42 issues

Common Patterns:

All apps share 2 critical issues (sensitive files, no tests)
All apps share similar high-priority issues (unencrypted storage, outdated dependencies)
All apps use similar technology stacks and patterns
All apps face similar challenges with documentation and error handling

Positive Findings:

SuperTank has code obfuscation enabled (best practice)
All apps use FVM for Flutter version management (good practice)
All apps use Codemagic for CI/CD (consistent)
All apps use Drift for database (modern choice)

Next Steps

Prioritize critical security fixes across all applications
Implement test infrastructure as foundation for quality improvements
Establish shared best practices and standards across all apps
Create shared tooling for dependency management and security scanning
Document common patterns and architectural decisions

For detailed findings and recommendations, please refer to the individual audit reports: