CVE-2020-35137

Published: Mar 29, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US

https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration

https://github.com/optiv/rustyIron

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-35137

Description

Affected Products

References