CVE-2014-6854

Vulnerability

The EyeXam application (com.globaleyeventures.eyexam) version 1.4 for Android does not verify X.509 certificates from SSL servers. This means the app accepts any certificate presented during an HTTPS connection, whether legitimate or not. The vulnerability is part of a broader class of Android apps that fail to properly validate SSL certificates [1] [2].

Exploitation

An attacker positioned on the same network as the Android device (e.g., via a rogue Wi-Fi hotspot) can perform a man-in-the-middle (MITM) attack. By presenting a crafted certificate, the attacker can intercept the HTTPS connection between the app and its backend server. No special privileges on the device are required; the attacker only needs network proximity and the ability to intercept traffic. The app's lack of certificate validation means the attacker's fake certificate is accepted without any trust check [1].

Impact

Successful exploitation allows the attacker to view (disclosure) and potentially modify (integrity violation) all network traffic transmitted by the EyeXam app. Because the app may handle sensitive personal health or identification data related to eye exams, the impact includes credential theft and exposure of private medical information. In some cases, if the app sends data that can be manipulated, arbitrary code execution on the device or backend could be possible depending on the app's functionality [1].

Mitigation

No official patch or updated version has been announced as of the publication date. Users should uninstall or avoid using the EyeXam application until a fix is provided. Alternatively, they can access the service via a web browser over a trusted network or use alternative apps that properly implement SSL chain validation. The app is listed among many that failed dynamic SSL validation testing [1] [2].