Xpoint: unsigned iOS SDK + findable SDK = client-side coordinate injection
What we obtained. Raw iOS and Mac Xpoint SDKs (Mar 24 weekly sync). The iOS SDK is unsigned, the SDK module is findable, and the response payload returns raw coordinates + compliance decision in plaintext.
What it means. An attacker can patch the app to inject coordinates, placing the user inside a permitted jurisdiction before every compliance check. The trust boundary is on the client. This is not a bug — it's an architectural exposure.
Cross-reference. May 5 monthly brief documents "XPoint returns compliance decisions and raw coordinates in plaintext to the client with a public GPS injection method." Magisk bypass on Bet365 XPoint Verify is publicly discussed on Reddit (Apr 7 + Apr 14) — two users offering help.
Why it matters. SDK hardening (signed binaries, obfuscation, license-bound runtime) is a category-defining requirement for regulated gaming geo. Xpoint sells on developer-friendliness, but for a regulator-facing compliance product the same property is the structural problem.