VMware updated AirWatch Android applications to fix two vulnerabilities.
The vulnerabilities focus on local data encryption and rooted device detection.
In VMware’s first security advisory released this year, Finn Steglich from SySS GmbH discovered flaws in several components of AirWatch enterprise mobility management.
One of the security holes, tracked as CVE-2017-4895, affects AirWatch Agent for Android, which allows users to authenticate and enroll their devices in the system. During the enrollment process, the application checks if the smartphone has been rooted — AirWatch classifies rooted and jailbroken devices as “compromised.”
The AirWatch Agent vulnerability allows a device to bypass root detection during enrollment, which could lead to the device having unrestricted access over local AirWatch security controls and data, VMware said. The flaw ended up patched this month with the release of version 7.0.
The second vulnerability patched by VMware affects the secure email client AirWatch Inbox and AirWatch Console on Android. This weakness allows a rooted device to decrypt the local data used by the app, which could result in disclosure of sensitive information.
Patches and workarounds are available to address the security hole tracked as CVE-2017-4896. VMware said a user must enable Pin-Based Encryption (PBE), a feature introduced in AirWatch Console 9.0 FP1 and AirWatch Inbox 2.12, to resolve the vulnerability.