Insecure transmission of data in Android applications developed with Adobe AIR [CVE-2016-6936]

[research@xxxxxxxxxxxxxxxxxxxxxxxxxxx]

Original at:
https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/

Summary

Android applications developed with Adobe AIR send data back to Adobe servers 
without HTTPS while running. This can allow an attacker to compromise the 
privacy of the applications? users. This has been fixed in Adobe AIR SDK 
release v23.0.0.257.

Details

Adobe AIR is a developer product which allows the same application code to be 
compiled and run across multiple desktop and mobile platforms. While monitoring 
network traffic during testing of several Android applications we observed 
network traffic over HTTP without the use of SSL going to several Adobe servers 
including the following:

- airdownload2.adobe.com
- mobiledl.adobe.com

Because encryption is not used, this would allow a network-level attacker to 
observe the traffic and compromise the privacy of the applications? users.

This affects applications compiled with the Adobe AIR SDK versions 22.0.0.153 
and earlier.

Vendor Response

Adobe has released a fix for this issue on September 13th, 2016 in Adobe AIR 
SDK v23.0.0.257. Developers should update and rebuild their application using 
the latest SDK.

References

Adobe Security Bulletin: ASPB16-31
CVE: CVE-2016-6936

Timeline

2016-06-15: Report submitted to Adobe?s HackerOne program
2016-06-16: Report out of scope for this program, directed to Adobe?s PSIRT
2016-06-16: Submitted via email to Adobe?s PSIRT
2016-06-17: Reply received from PSIRT and a ticket number is assigned
2016-09-09: Response received from the vendor that the fix will be released 
next week
2016-09-13: Fix released
2016-09-14: Public disclosure