CVE-2014-5903

Vulnerability

The Mobile@Work application (com.mobileiron) version 6.0.0.1.12R for Android does not properly validate X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented during an HTTPS connection, including self-signed or forged certificates. The vulnerability was identified as part of a broader study of Android apps that fail SSL validation [2].

Exploitation

An attacker on the same network as the Android device (e.g., public Wi-Fi) can perform a man-in-the-middle (MITM) attack. By presenting a crafted certificate that the app does not verify, the attacker can intercept and decrypt HTTPS traffic between the app and its servers. No additional authentication or user interaction is required beyond the device connecting to the network.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS. This can lead to credential theft, exposure of sensitive corporate data, or potentially arbitrary code execution depending on the app's functionality [1]. The attacker gains the ability to spoof the legitimate server and obtain sensitive information.

Mitigation

The vendor (MobileIron) should release an updated version that properly validates SSL certificates. As of the publication date (2014-09-15), no fix is mentioned in the references. Users are advised to avoid using the affected app until a patch is available, or to use alternative means (e.g., web browser) to access the same services [1]. The app is listed among many that failed dynamic SSL testing [2].