mifos-mobile before 7ed4f22 disables HTTPS hostname verification of its HTTP client.
Additionally it accepted any self-signed certificate as valid.
Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.
Accepting any certificate, even self-signed ones allows man-in-the-middle attacks.
Patches
This problem is fixed in mifos-mobile e505f62
References
For more information
If you have any questions or comments about this advisory:
intrigus-lgtm Analyst
mifos-mobile before 7ed4f22 disables HTTPS hostname verification of its HTTP client.
Additionally it accepted any self-signed certificate as valid.
Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.
Accepting any certificate, even self-signed ones allows man-in-the-middle attacks.
Patches
This problem is fixed in mifos-mobile e505f62
References
Android Security Guide for TLS/HTTPS
CWE-295
CWE-297
For more information
If you have any questions or comments about this advisory: