CVE-2020-35138
Description
A hardcoded encryption key in MobileIron Mobile@Work agents for Android and iOS allows an unauthenticated attacker to construct authentication requests and potentially perform account enumeration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hardcoded encryption key in MobileIron Mobile@Work agents for Android and iOS allows an unauthenticated attacker to construct authentication requests and potentially perform account enumeration.
Vulnerability
The MobileIron Mobile@Work agents through March 22, 2021 for Android and iOS contain a hardcoded encryption key used to encrypt username/password details during authentication [1][2]. The key is located in the file com/mobileiron/common/utils/C4928m.java [1][2]. This static key is embedded in the agent binary and can be extracted by an attacker who analyzes the application [1][2]. The vulnerability affects all versions of the Mobile@Work agent up to that date [1][2].
Exploitation
An unauthenticated attacker with access to a copy of the Mobile@Work agent can extract the hardcoded encryption key [1][2]. With this key, the attacker can construct valid MobileIron authentication requests and decrypt captured ciphertexts [1][2][3]. The attacker does not require any special network position or authentication to obtain the key, as it is static in the application [1][2]. The freely available tool rustyIron implements methods to decrypt MobileIron ciphertext and perform user enumeration using this key [3].
Impact
An attacker who successfully extracts the hardcoded key can decrypt authentication ciphertexts and construct authentication requests, enabling account enumeration and single-factor authentication attacks [1][2][3]. This could lead to the compromise of user credentials and unauthorized access to corporate resources managed by MobileIron [1][2]. While the vendor asserts no direct causality between credential encryption and man-in-the-middle (MitM) attacks [4], the hardcoded key reduces the security of the authentication process.
Mitigation
Ivanti (the vendor, formerly MobileIron) states that the hardcoded encryption key finding presents a medium risk and can be mitigated by proper configuration [4]. As of the publication date (2021-03-29), no patch or updated version removing the static key is mentioned in the references. Organizations can reduce the attack surface by disabling MobileIron discovery services [1][2]. Administrators should follow Ivanti's security hardening guides and monitor for updates from the vendor [4]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
- MobileIron MDM Contains Static Key Allowing Account Enumeration
- MobileIron MDM Contains Static Key Allowing Account Enumeration
- GitHub - optiv/rustyIron: rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
- A Warranted Response to Inaccurate Optiv Research
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 2021-03-22
- Range: <= 2021-03-22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded AES encryption key in the Mobile@Work agent that is used to encrypt username/password submissions during device registration."
Attack vector
An attacker who extracts the hardcoded AES key from the Mobile@Work agent can encrypt and decrypt MIPR authentication data [ref_id=1][ref_id=2]. With this key, the attacker can construct valid authentication requests against a MobileIron endpoint without needing a physical device or the agent, enabling credential-stuffing or account-enumeration attacks against the Internet-accessible Single-Factor Authentication (SFA) interface [ref_id=1][ref_id=2]. Additionally, if the attacker can coerce a user into installing a malicious TLS certificate (the agent inherits the device's trust authorities and does not perform native TLS verification), a man-in-the-middle attack could intercept the second TLS encryption layer as well [ref_id=1][ref_id=2].
Affected code
The hardcoded encryption key resides in `com/mobileiron/common/utils/C4928m.java`, specifically within the `m20857f()` encryption function [ref_id=1][ref_id=2]. This file is part of the Mobile@Work agent (com.mobileiron) for Android and iOS, and the key is used to encrypt username/password submissions during device registration.
What the fix does
No patch is provided in the bundle. MobileIron acknowledged the static-key deficiency but argued the risk is minimal because credentials are additionally encrypted via TLS [ref_id=1][ref_id=2]. The vendor recommended mitigations include enabling two-factor authentication for device registration, enabling Mutual Certificate Authentication for subsequent check-ins, and the product team was investigating certificate pinning to reduce MitM risk [ref_id=1][ref_id=2]. No code-level fix has been published.
Preconditions
- inputAttacker must extract the hardcoded AES key from the Mobile@Work agent binary (com.mobileiron).
- configThe target MobileIron Core must have an Internet-accessible Single-Factor Authentication (SFA) interface enabled.
- inputFor MitM attacks, the attacker must coerce the victim into installing a malicious TLS certificate on their device.
- configFor account enumeration, the target user account must be visible in the MobileIron user repository (e.g., synced from Active Directory).
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- play.google.com/store/apps/detailsmitrex_refsource_MISC
- www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-researchmitrex_refsource_MISC
- www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumerationmitrex_refsource_MISC
- www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumerationmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.