Vulnerability in library VIPAndroid-3.0.5.jar after running white hat scan on FRB Corp Android application.
SSL Configuration Allows Insecure Connections – Vulnerability ID - 2468286
Description -
The application contains code which overrides Android's built in certificate validation procedures and potentially allows HTTPS connections to be created without establishing trust properly. If this connection is created, remote attacker could intercept and modify that traffic to and from the app. This type of vulnerability can also be flagged as a blocker by the Android Play Store.
METHOD Lcom/symantec/starmobile/dendrite/b/a/g/c;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/b/a/g/c;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/network/d/c;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/network/d/c;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/util/c/b;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/util/c/b;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symc/mvip/a/n;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symc/mvip/a/n;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
VIP SDK side will fix this as part of next release ( as part of FIDO SDK) - timelines will be published later.