CVE-2014-7393

Vulnerability

The 100 Beauty Tips Android application (package com.ww100BeautyTipsApp) version 1.1 does not properly validate X.509 certificates from HTTPS servers. This means the app accepts any certificate presented during the SSL handshake, including those from an attacker. The issue is common among many Android applications that fail to implement proper certificate validation [1].

Exploitation

An attacker positioned on the same network as the victim's Android device (e.g., a public Wi-Fi hotspot) can perform a man-in-the-middle attack. The attacker presents a crafted certificate to the app, which the app accepts without verification. No user interaction or authentication is required beyond the app making an HTTPS connection.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been encrypted by HTTPS. This can lead to disclosure of sensitive information such as login credentials or personal data, and in some cases may enable arbitrary code execution depending on the app's functionality [1].

Mitigation

No official patch or updated version has been released for this application. The CERT/CC recommends not using affected applications and instead accessing the same content via a web browser, which typically implements proper SSL validation [1]. Users should uninstall the 100 Beauty Tips app and avoid similar apps that do not verify certificates.