CVE-2014-7317

Vulnerability

The Aloha Bail Bonds application (com.onesolutionapps.alohabailbondsandroid) version 1.1 for Android does not verify X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented during an HTTPS handshake without checking the certificate chain or trust anchor. No special configuration is required to reach the vulnerable code path; every HTTPS connection made by the app is affected.

Exploitation

An attacker with network access to the Android device (e.g., on the same Wi-Fi network) can perform a man-in-the-middle attack by presenting a crafted certificate that the app will accept without validation [1]. The attacker can then intercept or modify all HTTPS traffic between the app and its servers. No user interaction beyond using the app normally is required once the MITM position is established.

Impact

A successful attacker can view or modify network traffic that should have been protected by HTTPS [1]. This can lead to disclosure of sensitive information, such as credentials or personal data transmitted by the Aloha Bail Bonds app. In broader cases of similar SSL validation failures, arbitrary code execution may also be possible depending on the app's functionality.

Mitigation

The official CERT/CC advisory recommends not using affected applications and instead accessing the same content through a web browser, which can properly validate SSL certificates [1]. No patched version of the Aloha Bail Bonds app has been announced. Users should uninstall the app until a fix is released.