In 2016, a security researcher informed us of intent to disclose a security vulnerability found during a penetration test of AirWatch products. The pen test demonstrated that the encryption used by Android Inbox was based entirely on information that could be derived from the device and details obtained by reverse engineering the application. Using this information, the researcher was able to decrypt the data protected by Inbox. This issue is described by CVE-2017-4896. It was disclosed in VMware Security Advisory VMSA-2017-0001 on January 30, 2017, and also discussed in a Knowledge Base article.
If you cannot upgrade to the appropriate apps and Console versions immediately, then the issue can be mitigated by enabling the device level passcode and encrypting the entire device. The admin guides below discuss how to create a passcode profile in the AirWatch Console and how to push it do devices.
|VMware AirWatch Mobile Device Management (MDM) Guide||Add a General Profile||This section explains how a user needs to publish a profile and explains all options available.|
|VMware AirWatch Android Platform Guide||Device Passcode Policy||This section explains how to publish a passcode profile. In Android, you must select the profile option to enable device level encryption.|
Additionally, any devices configured through Android for Work are not affected by this issue. You can find information about Android for Work in the VMware AirWatch Integration with Android for Work guide.