CVE-2014-7705

Vulnerability

The Atkins Diet Free Shopping List Android application (package com.wAtkinsDietFreeShoppingList, version 1.1) does not verify X.509 certificates from SSL servers. This flaw is part of a broader class of Android applications that fail to properly validate SSL certificates, as documented in CERT/CC Vulnerability Note VU#582497 [1]. The app accepts any certificate presented during an HTTPS handshake without checking its authenticity against a trusted root CA.

Exploitation

An attacker positioned on the same network as the victim (e.g., a public Wi-Fi hotspot) can perform a man-in-the-middle (MITM) attack. By presenting a crafted certificate, the attacker can intercept the HTTPS connection between the app and its backend server. The app will accept the fraudulent certificate without validation, allowing the attacker to read or modify all data transmitted over the supposedly secure channel [1].

Impact

Successful exploitation allows the attacker to obtain sensitive information transmitted by the app, such as login credentials, personal details, or any other data exchanged with the server. Depending on the app's functionality, the impact may include credential theft or, in some cases, arbitrary code execution if the app downloads and executes content [1]. The compromise is limited to the network session but can lead to broader account compromise.

Mitigation

No official fix has been released for this specific app as of the publication date. The developer should update the application to properly validate SSL certificates. Users are advised to avoid using the app and instead access the same services via a web browser, which typically implements proper certificate validation [1]. The app is listed among vulnerable applications in the CERT/CC tracking spreadsheet [2].