How did vulnerabilities in AirWatch Agent and Inbox work?
Flaws in AirWatch Agent and AirWatch Inbox allowed rooted devices to bypass the software's security measures. Expert Matthew Pascucci explains how these vulnerabilities worked.
VMware disclosed and patched a couple of serious vulnerabilities in its AirWatch mobile security software. The vulnerabilities allow rooted devices to bypass AirWatch's detection system, potentially accessing encrypted local data within Inbox, AirWatch's containerized email app. How did these vulnerabilities allow rooted devices to bypass these security features?
AirWatch is software that can be used to protect against compromised mobile devices, which are known as being rooted, and that allow security settings, emails and other functions to be applied to a phone for defense against attackers.
In this case, two vulnerabilities allowed attackers to root devices without the AirWatch software noticing. Normally, when AirWatch software is installed on a device, it checks whether the device is already rooted. A policy can be created on the agent console that informs the agent what to do if this is found during enrollment. Typically, the policy is configured to have an installation of the AirWatch Agent decline the install if it's being attempted on a rooted device.
AirWatch also has apps that can be installed within its suite of products, and one of these apps, the AirWatch Inbox -- a containerized email client that's supposed to provide separation from the data within it and the rest of the device -- was also found to be vulnerable.
The vulnerabilities that were found affect the AirWatch Agent and AirWatch Inbox apps on Android devices. It's interesting to note that this isn't possible on the iPhone. Since Android allows open access to its operating system, which is a double-edged sword, this vulnerability was made possible.
The AirWatch Agent app for Android is the key issue here, since it wasn't able to detect the root exploit first. During the exploit, the AirWatch Agent isn't able to detect particular binaries being renamed, and the device is rebooted as a way to reload the new malicious binaries. In doing this, the AirWatch Agent doesn't detect a device being rooted, and allows the reboot to occur, bringing up the device as rooted, without the agent software considering it compromised. The mobile device is now completely compromised, without the AirWatch Agent detecting it.
The second part of the vulnerability allowed a rooted device to decrypt the data within the local AirWatch Inbox. This allowed attackers that had already bypassed the AirWatch Agent to take it a step further, bypassing the local encryption on the device.
AirWatch has gone to great lengths to ensure the security of its clients' email on mobile devices, and the patch it released should be applied as soon as possible.
Both of these issues, the root bypass and the local encryption bypass, have been remediated with a patch to the AirWatch software. AirWatch highly recommends that all users download the latest version of the AirWatch Agent from the Google Play Store to remediate this issue. In order to fix the Inbox vulnerability, AirWatch has insisted that pin-based encryption be enabled, and that a new version of the Inbox app can assist with remediating this issue.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)