Adobe has updated the sample configuration files that ship with its Experience Platform Mobile Software Development Kit (SDK) after a security company discovered insecure default settings.
The SDKs are offered by the company as templates for developers to integrate their apps with Adobe’s cloud services across a range of platforms.
All seemed well until, in March 2019, Nightwatch Cybersecurity noticed that the main app configuration file,
ADBMobileConfig.json, contained settings that could lead to security problems.
This included several settings connected to SSL/HTTPS data transfer, specifically:
- An analytics setting defaulting to off (‘false’) rather than on (‘true’).
- Data transfers connected to the mediaHeartbeat object in the same insecure state.
- Other connections not using SSL by default.
In total, the researchers uncovered 28 templates across different platforms that embedded these settings.
Why does this matter?
Some developers have been using these configuration files inside their own apps, creating hidden problems, said Nightwatch:
When these options are used insecurely, attackers can view or modify information transmitted by the application back to Adobe’s cloud services.
No offenders are named but the company said it had found “multiple mobile applications” using them.
This isn’t surprising – larger dev teams will craft their own configuration while smaller ones will just use what’s handed to them by Adobe, even if that makes an assumption about the settings.
Fixing this issue requires those app developers to update their software, which might take a while.
After being told of the issue in March, Adobe recently released an updated version of its Mobile SDK (version numbers vary by platform).
Given that there’s no evidence the issue has ever been exploited, the discovery looks like a case of trouble averted. Even so, it’s still surprising that Adobe didn’t pick up on the problem.