[Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM

[Thierry Zoller <Thierry@xxxxxxxxx>]

RANT
----
The  world  of  mobile  applications  appear to have become one where 
vulnerability
disclosure    and   awareness  are  not  necessary.  Until  there  are fully 
automated
updates  and  refusal  of  service for outdated applications I see the
need for disclosure.

Who will start monitoring "Appstores" updates for signs of vulnerabilities ?

Note  to  vulnerability  researches : GMA appears to be a nice fuzzing target 
and
in general for browser security assessments.(see below on rationale)

Description
-----------
GMA is known as "Good™ Mobile Access" and part of "Good for Enteprise"
"The secure browser is integrated into the Good for Enterprise application, 
delivering a safe,
intelligent user experience. Employees can launch Good’s browser directly from 
the Good launcher bar,
as well as through links included in emails. Links to public websites will 
automatically launch
the native browser."

Title : GOOD for Enterprise GMA below 2.0.2 vulnerable to MITM
URL : http://www-staging.good.com/products/good-mobile-access.php
Root Cause: GMA failed to validate server authenticity when connecting through 
HTTPS

I  spotted  what  appears  to  be  an  undisclosed vulnerability in an
enterprise mobile device management system.

https://itunes.apple.com/us/app/good-for-enterprise/id333202351?mt=8

Excerpt from above :

What's New in Version 2.0.2
This release addresses the following
[..]- GMA now validates server authenticity when connecting through HTTPS.
[..]

This would imply GMA to have been vulnerable to MITM prior to version 2.0.2

Disclosure Timeline :
=====================
- GOOD disclosed over iTunes on the 02.08.2012

-- 
http://blog.zoller.lu
Thierry Zoller


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/