CVE-2014-7595

## Vulnerability the devada.co.uk (package name com.wdevadacouk) application version 1.2 for Android does not properly validate X.509 certificates from SSL/TLS servers, as reported in VU#582497 [1]. This means the app accepts any certificate presented during an HTTPS handshake without verifying it chains to a trusted root CA, making the connection insecure.

Exploitation

An attacker in a man-in-the-middle (MITM) position on the same network as the Android device can present a crafted certificate to the application [1]. No prior authentication or user interaction beyond normal app usage is required; the attacker simply intercepts the HTTPS connection and supplies a fake certificate, which the app will trust.

Impact

By spoofing the legitimate server, the attacker can view or modify network traffic that should have been protected by HTTPS [1]. This could lead to disclosure of sensitive information transmitted by the app, such as credentials or personal data, and in some cases could enable arbitrary code execution depending on the app's functionality.

Mitigation

The CERT/CC recommends not using affected applications and instead accessing content via a web browser, which typically enforces proper certificate validation [1]. No patched version of devada.co.uk is mentioned in the references; users should uninstall the app and consider it permanently insecure.