Original at: https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/ Summary Android applications developed with Adobe AIR send data back to Adobe servers without HTTPS while running. This can allow an attacker to compromise the privacy of the applications? users. This has been fixed in Adobe AIR SDK release v23.0.0.257. Details Adobe AIR is a developer product which allows the same application code to be compiled and run across multiple desktop and mobile platforms. While monitoring network traffic during testing of several Android applications we observed network traffic over HTTP without the use of SSL going to several Adobe servers including the following: - airdownload2.adobe.com - mobiledl.adobe.com Because encryption is not used, this would allow a network-level attacker to observe the traffic and compromise the privacy of the applications? users. This affects applications compiled with the Adobe AIR SDK versions 22.0.0.153 and earlier. Vendor Response Adobe has released a fix for this issue on September 13th, 2016 in Adobe AIR SDK v23.0.0.257. Developers should update and rebuild their application using the latest SDK. References Adobe Security Bulletin: ASPB16-31 CVE: CVE-2016-6936 Timeline 2016-06-15: Report submitted to Adobe?s HackerOne program 2016-06-16: Report out of scope for this program, directed to Adobe?s PSIRT 2016-06-16: Submitted via email to Adobe?s PSIRT 2016-06-17: Reply received from PSIRT and a ticket number is assigned 2016-09-09: Response received from the vendor that the fix will be released next week 2016-09-13: Fix released 2016-09-14: Public disclosure
