How to enable Device Passcode Policy in Android Devices to mitigate CVE-2017-4896


In 2016, a security researcher informed us of intent to disclose a security vulnerability found during a penetration test of AirWatch products. The pen test demonstrated that the encryption used by Android Inbox was based entirely on information that could be derived from the device and details obtained by reverse engineering the application. Using this information, the researcher was able to decrypt the data protected by Inbox. This issue is described by CVE-2017-4896. It was disclosed in VMware Security Advisory VMSA-2017-0001 on January 30, 2017, and also discussed in a Knowledge Base article.

Mitigation Steps

If you cannot upgrade to the appropriate apps and Console versions immediately, then the issue can be mitigated by enabling the device level passcode and encrypting the entire device. The admin guides below discuss how to create a passcode profile in the AirWatch Console and how to push it do devices.

Guide Section Description
VMware AirWatch Mobile Device Management (MDM) Guide Add a General Profile This section explains how a user needs to publish a profile and explains all options available.
VMware AirWatch Android Platform Guide Device Passcode Policy This section explains how to publish a passcode profile. In Android, you must select the profile option to enable device level encryption.


Additionally, any devices configured through Android for Work are not affected by this issue. You can find information about Android for Work in the VMware AirWatch Integration with Android for Work guide.

Support Contact Information

To open a Support Request, please call your local AirWatch support line or submit a Support Request via myAirWatch.

Have more questions? Submit a request


Article is closed for comments.