Vulnerability Note VU#582497
Multiple Android applications fail to properly validate SSL certificates
Multiple Android applications fail to properly validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack.
When communicating via HTTPS, an application should validate the SSL chain to be sure that the certificate produced by the site was provided by a trusted root certificate authority (CA). Multiple Android applications fail to properly validate SSL certificates. Additional information can be found in the CERT Oracle Secure Coding Standard for Java:
DRD19-J. Properly verify server certificate on SSL/TLS
An attacker on the same network as the Android device may be able to view or modify network traffic that should have been protected by HTTPS. The impact varies based on what the application is doing. Possible outcomes include credential stealing or arbitrary code execution.
Apply an update
Do not use affected applications
Vendor Information (Learn More)
Due to the number of affected applications, tested applications, versions, CVE identifiers, CERT VU# identifiers and other information will be available in the spreadsheet Android App SSL Failures. This spreadsheet will be kept up to date with newly-discovered vulnerable applications, fixed versions, manual testing notes, and other information.
|Vendor||Status||Date Notified||Date Updated|
|Amazon||Unknown||06 Aug 2014||06 Aug 2014|
|Fortinet, Inc.||Unknown||09 Jan 2014||05 Jan 2015|
|Unknown||05 Aug 2014||05 Aug 2014|
|PNC Bank||Unknown||01 Oct 2014||01 Oct 2014|
|Windstream||Unknown||09 Jan 2014||05 Jan 2015|
CVSS Metrics (Learn More)
This vulnerability was reported by Will Dormann of the CERT/CC. Additional reporters of the concept of Android apps that fail to validate SSL certificates include Tony Trummer, Tushar Dalvi, and Kuo Chiang. Other individuals that publicly reported this issue include: Sascha Fahl, Marian Harbach,Thomas Muders, Matthew Smith, Lars Baumgärtner, and Bernd Freisleben.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 16 Oct 2012
- Date First Published: 03 Sep 2014
- Date Last Updated: 08 Nov 2016
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.