In 2016 a security researcher informed us of intent to disclose a security vulnerability found during a penetration test of our products. The pen test demonstrated that the encryption used by Android Inbox was based entirely on information that could be derived from the device and details obtained by reverse engineering the application. Using this information, the researcher was able to decrypt the data protected by Inbox. While Android Inbox was the only product tested, the same limitation is present in the encryption schemes of other AirWatch Android applications available in March 2016. Note: VMware Boxer was not a product at the time and has never contained this vulnerability.
After finding this vulnerability, the security researcher informed VMware of the issue and of the desire to publicly announce the issue. Adhering to our policy of responsible disclosure, AirWatch agreed to a joint announcement with the researcher following the remediation of the vulnerability in all supported AirWatch products.
AirWatch and the security researcher will simultaneously announce the details of the vulnerability on an agreed upon date of January 30, 2017. These issues are documented in VMware Security Advisory: VMSA-2017-0001. The security researcher also plans to announce the findings on their website and also register the vulnerability in the National Vulnerability Database (NVD).
Separately, AirWatch identified a weakness in the iOS SDK cryptographic protection scheme related to a session encryption key which may have allowed an attacker to anticipate the key value and access application data. While this weakness has not been publicly disclosed, we made a decision to resolve this vulnerability at the same time to ensure improved protection schemes across both the Android and iOS platforms.
The results in both cases are changes to application behavior and an overall improved cryptographic protection scheme.
What can our customers do?
Pin Based Encryption (PBE) prevents unauthorized decryption of information protected by AirWatch applications by including a user secret (pin or passcode) in the cryptographic protection scheme. AirWatch has provided the option for PBE in the following versions of Android applications already available on public app stores.
- Android Agent 7.0*
- Android Browser 5.12
- Android Container 3.3
- Android Content Locker 2.12
- Android Workspace ONE 2.2
- Android Inbox 2.12
- Android Video 1.12
*PBE is not enabled by default in the AirWatch Agent for Android. Customers will need to enable PBE in Workspace ONE UEM (AirWatch) Console 9.0.1 and above. Customers do not need to enable PBE for Android productivity apps, as PBE is enabled by default.
The following iOS applications have also been updated to reflect the improved cryptographic protection scheme.
- iOS Agent 5.4
- iOS Browser 5.12
- iOS Container 2.4
- iOS Content Locker 3.12
- iOS Inbox 2.12
- iOS Video 1.12
By enabling PBE on Android, Agent behavior will be affected to where profile configuration will be limited immediately after a device reboot. Please make sure you review the SSO and authentication behavior changes for AirWatch iOS and Android apps Knowledge Base article and the associated behavior changes prior to enabling.
The following AirWatch applications do not use encryption in a manner that is affected by the vulnerability and are therefore out of scope for remediation:
- iOS Boxer
- Android Boxer
- iOS Workspace ONE
If you cannot upgrade to the appropriate apps and Console versions immediately, then the issue can be mitigated by enabling the device level passcode and encrypting the entire device. Check the How to enable Device Passcode Policy in Android Devices to mitigate CVE-2017-4896 article for more information.
Q: What happens if an end user forgets their pin or passcode? Is encrypted data unrecoverable?
A: On Android and iOS, users can use the forgot pin code functionality to set a new pin or passcode and re-encrypt all data with that pin. Users will be asked to enter their username and password to reset the pin code. This is possible because a copy of the encryption key is escrowed on the server with a string stored locally on the device. The AirWatch administrator does not have the ability to decrypt the user's escrow key.
Q: Are there any behavioral or workflow changes as a result of PBE?
A: When PBE is enabled, the user’s pin or passcode is used to encrypt all application data. The user will need to enter her pin or passcode before any AirWatch-protected information is accessed or stored. Some AirWatch functionality occurs in the background, and does not require user interaction - for example, syncing files or mail, or sending sample data to the AirWatch DS endpoint. In such cases, the encryption key is stored temporarily in memory to facilitate background sessions. However, if applications are force-closed or the device is rebooted, the pin or passcode will need to be re-entered to unlock the data and start a new session.
- Android: When new Android applications are installed, the pin or passcode must be entered initially upon launching the new application. Additionally, AirWatch cannot save sensitive information (such as MDM profiles) until the user pin is provided. If the sole communication method for a device is configured through AirWatch MDM, then customers must ensure appropriate lifecycle management practices to guarantee the presence of user pin prior to rotating certificates.
- iOS: When new iOS applications are installed, the pin or passcode must be entered initially upon launching the new application, but does not need to be entered again until the device is rebooted, the application is force-closed via user, application crash, or the operating system’s memory management. In some cases, application sessions may 'time out,' resulting in the need for the user to re-enter the pin or passcode. This timeframe will vary on iOS, based on the number of running applications and other background processes.
Q: How does PBE affect SSO?
A: As a result of the new encryption scheme some changes have been made to the SSO workflow which may require users to encounter an application-layer pin or passcode entry requirement more frequently depending on the user's behavior. When the device is initially booted, for example, users are required to enter their pin or passcode in order to initially 'unlock' AirWatch application data. After this initial entry, the pin or passcode will only need to be entered periodically when the user's authenticated session expires, or when an application is force-closed.
Q: What is responsible disclosure?
A: Responsible disclosure is a well known and widely practiced security policy to which VMware subscribes. Working with independent security researchers and other third parties to responsibly and jointly disclose vulnerabilities in VMware products helps prevent "zero day" vulnerabilities from affecting our customers without first having a mitigation or fix in place. Through responsible disclosure, VMware protects our customer base while working closely with the security community to improve our products.