Q
Problem solve Get help with specific problems with your technologies, process and projects.

How did vulnerabilities in AirWatch Agent and Inbox work?

Flaws in AirWatch Agent and AirWatch Inbox allowed rooted devices to bypass the software's security measures. Expert Matthew Pascucci explains how these vulnerabilities worked.

VMware disclosed and patched a couple of serious vulnerabilities in its AirWatch mobile security software. The...

vulnerabilities allow rooted devices to bypass AirWatch's detection system, potentially accessing encrypted local data within Inbox, AirWatch's containerized email app. How did these vulnerabilities allow rooted devices to bypass these security features?

AirWatch is software that can be used to protect against compromised mobile devices, which are known as being rooted, and that allow security settings, emails and other functions to be applied to a phone for defense against attackers.

In this case, two vulnerabilities allowed attackers to root devices without the AirWatch software noticing. Normally, when AirWatch software is installed on a device, it checks whether the device is already rooted. A policy can be created on the agent console that informs the agent what to do if this is found during enrollment. Typically, the policy is configured to have an installation of the AirWatch Agent decline the install if it's being attempted on a rooted device.

AirWatch also has apps that can be installed within its suite of products, and one of these apps, the AirWatch Inbox -- a containerized email client that's supposed to provide separation from the data within it and the rest of the device -- was also found to be vulnerable.

The vulnerabilities that were found affect the AirWatch Agent and AirWatch Inbox apps on Android devices. It's interesting to note that this isn't possible on the iPhone. Since Android allows open access to its operating system, which is a double-edged sword, this vulnerability was made possible.

The AirWatch Agent app for Android is the key issue here, since it wasn't able to detect the root exploit first. During the exploit, the AirWatch Agent isn't able to detect particular binaries being renamed, and the device is rebooted as a way to reload the new malicious binaries. In doing this, the AirWatch Agent doesn't detect a device being rooted, and allows the reboot to occur, bringing up the device as rooted, without the agent software considering it compromised. The mobile device is now completely compromised, without the AirWatch Agent detecting it.

The second part of the vulnerability allowed a rooted device to decrypt the data within the local AirWatch Inbox. This allowed attackers that had already bypassed the AirWatch Agent to take it a step further, bypassing the local encryption on the device.

AirWatch has gone to great lengths to ensure the security of its clients' email on mobile devices, and the patch it released should be applied as soon as possible.

Both of these issues, the root bypass and the local encryption bypass, have been remediated with a patch to the AirWatch software. AirWatch highly recommends that all users download the latest version of the AirWatch Agent from the Google Play Store to remediate this issue. In order to fix the Inbox vulnerability, AirWatch has insisted that pin-based encryption be enabled, and that a new version of the Inbox app can assist with remediating this issue.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read about VMware AirWatch Connect 2016 and what it covered

Learn more about VMware AirWatch policies and configurations

Find out whether AirWatch or XenMobile enterprise mobility management is better for your company

This was last published in March 2017

Dig Deeper on Mobile security threats and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization handle vulnerabilities, like those in AirWatch Inbox?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close