mailing list archives
GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 13 Nov 2012 22:56:07 +0100
The world of mobile applications appear to have become one where vulnerability
disclosure and awareness are not necessary. Until there are fully automated
updates and refusal of service for outdated applications I see the
need for disclosure.
Who will start monitoring "Appstores" updates for signs of vulnerabilities ?
Note to vulnerability researches : GMA appears to be a nice fuzzing target and
in general for browser security assessments.(see below on rationale)
GMA is known as "Good™ Mobile Access" and part of "Good for Enteprise"
"The secure browser is integrated into the Good for Enterprise application, delivering a safe,
intelligent user experience. Employees can launch Good’s browser directly from the Good launcher bar,
as well as through links included in emails. Links to public websites will automatically launch
the native browser."
Title : GOOD for Enterprise GMA below 2.0.2 vulnerable to MITM
URL : http://www-staging.good.com/products/good-mobile-access.php
Root Cause: GMA failed to validate server authenticity when connecting through HTTPS
I spotted what appears to be an undisclosed vulnerability in an
enterprise mobile device management system.
Excerpt from above :
What's New in Version 2.0.2
This release addresses the following
[..]- GMA now validates server authenticity when connecting through HTTPS.
This would imply GMA to have been vulnerable to MITM prior to version 2.0.2
Disclosure Timeline :
- GOOD disclosed over iTunes on the 02.08.2012
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Thierry Zoller (Nov 13)