Su Mon Kywe

**Name of the Vulnerable Software and Affected Versions** Android versions 5.x through 5.1.1 LMY49H Android versions 6.x through 2016-03-01 **Description** The issue is related to the `getDeviceIdForPhone` function in `internal/telephony/PhoneSubInfoController.java`, which lacks protection of service data. This allows a remote attacker to obtain confidential information using a specially crafted application. The function does not check for the `READ PHONE STATE` permission. **Recommendations** For Android versions 5.x through 5.1.1 LMY49H, update to version 5.1.1 LMY49H or later. For Android versions 6.x through 2016-03-01, update to a version released after 2016-03-01. As a temporary workaround, consider restricting access to the `getDeviceIdForPhone` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 7 **Description** The issue allows attackers to bypass intended limits on incorrect passcode entry, and consequently avoid a configured Erase Data setting, by leveraging the presence of an app in the third-party sandbox. **Recommendations** For versions prior to 7, update to version 7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 7 **Description** The issue concerns the Telephony subsystem, which does not enforce API conformity for access to telephony-daemon interfaces. This allows attackers to bypass intended restrictions on phone calls by using a crafted app that sends direct requests to the daemon. **Recommendations** For versions prior to 7, update to version 7 or later to resolve the issue.