CVE-2014-7472

Vulnerability

The CSApp - Colegio San Agustin application (com.goodbarber.csapp) version 1.0 for Android does not verify X.509 certificates from SSL servers [1]. This means that when the app makes HTTPS connections, it accepts any certificate presented by the server without validating that it was issued by a trusted certificate authority. The vulnerability exists in the SSL/TLS implementation of the app, allowing the code path that trusts unverified certificates to be reachable under normal usage [1].

Exploitation

An attacker in a position to perform a man-in-the-middle (MITM) attack, such as on a shared Wi‑Fi network, can craft a certificate that impersonates the legitimate server. The attacker does not need any previous authentication or user interaction beyond the user launching the app as usual. Because the app fails to validate the certificate chain, the connection proceeds as normal, allowing the attacker to intercept and potentially modify the HTTPS traffic [1].

Impact

A successful MITM attacker can view or modify network traffic that was intended to be protected by HTTPS. Depending on what data the app transmits, this could lead to credential stealing or, in some cases, arbitrary code execution [1]. The attacker gains the ability to read and alter sensitive information that the user sends to or receives from the app's backend services.

Mitigation

No fix has been published for this specific application as of the CVE publication date [1]. The CERT/CC recommends that users avoid using affected applications when the content is accessible via other means, such as a web browser with proper certificate validation [1]. Users should uninstall the CSApp version 1.0 and check for an updated version from the vendor that properly validates SSL certificates.