CVE-2014-6938

Vulnerability

The Apostilas musicais application (package com.apostilas) version 1.0 for Android does not properly verify X.509 certificates from SSL servers. This flaw means the application trusts any certificate presented during an HTTPS connection, including those issued by an attacker. The app is listed among multiple Android applications that fail SSL validation testing, as documented in the CERT/CC Vulnerability Note VU#582497 [1][2].

Exploitation

An attacker positioned on the same network as the victim (e.g., a rogue Wi-Fi hotspot) can perform a man-in-the-middle (MITM) attack. By presenting a crafted, self-signed, or otherwise invalid certificate, the attacker can intercept the HTTPS connection between the device and the legitimate server. The application will accept the fraudulent certificate without proper validation, allowing the attacker to read or modify encrypted traffic.

Impact

A successful MITM attack enables the attacker to view and alter network traffic that the user expects to be protected by HTTPS. Depending on how the application uses the connection, this could lead to credential theft, exposure of personal data, or even arbitrary code execution if the attacker injects malicious content [1].

Mitigation

No official patched version of the Apostilas musicais application has been released. The CERT/CC advises users to avoid using the affected application, especially for sensitive transactions, and instead access the content via a web browser that properly validates SSL certificates [1]. Users should uninstall the vulnerable app as a precaution.