CVE-2020-35137
Description
MobileIron MDM agents contain a hardcoded API key enabling unauthenticated discovery of organization's authentication endpoint, though feature is opt-in.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MobileIron MDM agents contain a hardcoded API key enabling unauthenticated discovery of organization's authentication endpoint, though feature is opt-in.
Vulnerability
The MobileIron Mobile@Work agents for Android and iOS (through March 2021) [3] contain a hardcoded API key in com/mobileiron/registration/RegisterActivity.java [1]. This key is used to communicate with the MobileIron SaaS discovery API, specifically for api/v1/gateway/customers/servers requests. The feature is opt-in and not enabled by default; customers must explicitly request enablement via email to support [description]. Affected versions include all agents up to the March 2021 release.
Exploitation
An unauthenticated attacker can extract the hardcoded API key from the Mobile@Work application binary [1]. Using this key, the attacker can query the discovery API to enumerate organizations that have the discovery service enabled. The attacker must know or guess the organization's domain name to perform the discovery request. The rustyIron tool provides a disco method for this purpose [2]. No authentication or user interaction is required beyond having the API key.
Impact
Successful exploitation allows an attacker to discover the MobileIron authentication endpoint for an organization that has opted into the discovery feature [1]. This information can be used as a stepping stone for further attacks, such as user enumeration or brute-force authentication attempts. The impact is limited to information disclosure of the endpoint URL; it does not directly lead to account compromise or data access.
Mitigation
MobileIron (now Ivanti) has stated that this is an opt-in feature and they do not plan to change it [description]. Organizations can reduce the attack vector by disabling MobileIron discovery services if they are not needed [1]. No patch has been released as of the publication date (March 2021). The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.
- MobileIron MDM Contains Static Key Allowing Account Enumeration
- GitHub - optiv/rustyIron: rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
- Ivanti Mobile@Work - Apps on Google Play
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MobileIron/MobileIron agentsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A static, hardcoded API key in the Mobile@Work Android client allows unauthenticated enumeration of MobileIron customer endpoints."
Attack vector
An unauthenticated attacker decompiles the Mobile@Work Android APK to extract the hardcoded API key from `RegisterActivity.java`. With this key, the attacker can query the MobileIron SaaS discovery API (`api/v1/gateway/customers/servers`) using only a victim's email address to enumerate the organization's MobileIron authentication endpoint. No authentication or special privileges are required, and the attack is performed over the public internet [ref_id=1].
Affected code
The hardcoded API key resides in `com/mobileiron/registration/RegisterActivity.java` within the Mobile@Work (com.mobileiron) Android application. The advisory confirms the key is static and compiled into the binary, recoverable through decompilation of the APK.
What the fix does
No patch has been published. MobileIron acknowledged the issue but stated the static key is a critical component of the registration workflow and that removing it would require users to manually enter the Core hostname, which they deemed too impactful. The vendor indicated they would review alternative solutions but provided no timeline for remediation [ref_id=1].
Preconditions
- inputAttacker must obtain the Mobile@Work APK and decompile it to recover the hardcoded API key.
- configThe target organization must use MobileIron MDM with the SaaS discovery feature enabled (opt-in, not default).
- inputAttacker must know a valid email address associated with the target organization's MobileIron deployment.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.