IBM Worklight and IBM Mobile Foundation application authenticity verification can be bypassed under certain conditions.
CVEID:__CVE-2014-0888 __
**DESCRIPTION:**The application authenticity feature in IBM Worklight and IBM Mobile Foundation enables the Worklight server to validate that the Worklight client application has not been tampered with. Under certain conditions, a third party might be able to bypass the application authenticity validation and modify the client application.
CVSS Base Score: 3.5
CVSS Temporal Score: See**_<https://exchange.xforce.ibmcloud.com/vulnerabilities/91239>_**** for the current score**
CVSS Environmental Score: Undefined*
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
The application authenticity validation feature has been strengthened in IBM Worklight Foundation Version 6.2.0.0. You can upgrade the Worklight server and Worklight client applications to version 6.2.0.0.
The application authenticity validation feature might be bypassed more easily if the Android versions of the Worklight client application are shipped with debug mode enabled. The debug mode is specified in the AndroidManifest.xml
file with the android:debuggable
attribute of the application
element. Ensure that this attribute is not set to true
.
Utilizing only official mobile application stores for application distribution and installation reduces the chances of client application tampering.