CVE-2014-5957

Vulnerability

The Alien War Survivors application (com.ly.a13.gp) version 1.3.1 for Android does not properly verify X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented during an HTTPS connection, including self-signed or forged certificates, without checking the chain of trust.

Exploitation

An attacker positioned on the same network as the victim (e.g., on a public Wi-Fi) can perform a man-in-the-middle attack. By presenting a crafted certificate, the attacker can intercept the HTTPS connection between the app and its server. No additional authentication or user interaction is required beyond the victim using the app over the compromised network.

Impact

Successful exploitation allows the attacker to view and modify network traffic that should have been protected by HTTPS. This can lead to disclosure of sensitive information transmitted by the app, such as login credentials or personal data. In some cases, arbitrary code execution may be possible if the app processes attacker-controlled data [1].

Mitigation

No official patch has been released for version 1.3.1. The CERT/CC recommends not using affected applications and instead accessing the same content via a web browser, which typically implements proper SSL validation [1]. Users should uninstall the app until a fix is available.