search cancel

Symantec VIP - vulnerability in library VIPAndroid-3.0.5 SSL Configuration Allows Insecure Connections

book

Article ID: 253776

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Vulnerability in library VIPAndroid-3.0.5.jar after running white hat scan on FRB Corp Android application.

SSL Configuration Allows Insecure Connections – Vulnerability ID - 2468286

Description -

The application contains code which overrides Android's built in certificate validation procedures and potentially allows HTTPS connections to be created without establishing trust properly. If this connection is created, remote attacker could intercept and modify that traffic to and from the app. This type of vulnerability can also be flagged as a blocker by the Android Play Store.

METHOD Lcom/symantec/starmobile/dendrite/b/a/g/c;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/b/a/g/c;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/network/d/c;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/starmobile/dendrite/network/d/c;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/util/c/b;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symantec/util/c/b;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symc/mvip/a/n;,checkClientTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V Lcom/symc/mvip/a/n;,checkServerTrusted,([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V

Resolution

VIP SDK side will fix this as part of next release ( as part of FIDO SDK) - timelines will be published later.