This may shock you but Adobe is shipping insecure software. No, it's not Flash this time. Nope, not Acrobat, either
Mobile app SDKs sport dodgy crypto defaults, set bad examples – updates available
It has been revealed that Adobe's Experience Platform mobile SDKs, used to create apps that interact with the company's cloud services, until recently contained sample configuration files that created insecure default settings.
Developers creating apps that utilize those files as templates or examples could find that their apps have been sending data over the network without SSL protection, making it vulnerable to interception and alteration.
On Wednesday, security biz Nightwatch Cybersecurity disclosed the flaws, with Adobe's blessing, after the Photoshop-slinger published updated SDKs that fix the issue. Nightwatch initially reported the vulnerability to Adobe in March.
The problems arise from a configuration file for the SDKs called
ADBMobileConfig.json that gets packaged with the mobile application.
"There are several insecure settings included within this file which may lead to sensitive data being transmitted without SSL and can be seen or modified by an attacker with access to the network traffic," explained Nightwatch security researcher Yakov Shafranovich in a blog post.
There's an SSL setting in the
analytics object of the
.json file that defaults to false. There's an SSL setting in the
mediaHeartbeat object that defaults to false. And there are also configurable URLs that may incorrectly reference insecure HTTP URLs but don't usually do so.
Experienced developers might craft their own configuration files, avoiding the problem, but Adobe explicitly recommends copying the flawed file into projects. Its BlackBerry 10 SDK, for example, advises, "In the ADBMobile-4.0.0-BlackBerry folder, there is a
.json config file named
ADBMobileConfig.json. Copy that file into the root of your project."
Google goes full Anti-Flash-ist, boots Adobe's insecure monstrosity out of web search indexREAD MORE
Adobe didn't immediately respond to a request for comment.
The cloud marketing biz has set the sunset date its v4 SDKs as September 2020 and future versions should be free this problem. In a response sent to Nightwatch, Adobe said customers usually download a file from Mobile Services, where SSL is on by default, have Adobe professional services create a config file, where SSL is recommended, or customers will create their own config file, where most enable SSL.
In an email to The Register, a spokesperson for Nightwatch said, "[Developers] are supposed to replace the config file with one downloaded from the developer portal... but they often don't."
Nightwatch has released an open source tool called truegaze on GitHub to perform static analysis on existing Experience Platform apps to see if they implement vulnerable SSL settings.
The security biz said that it isn't aware of whether the lack of SSL in apps implementing Adobe's SDKs has been been exploited in the wild or how many existing applications may be affected. ®