CVE-2019-5625

Name of the Vulnerable Software and Affected Versions Halo Home versions prior to 1.11.0

Description The issue allows an attacker to impersonate a legitimate user by reusing stored OAuth authentication and refresh access tokens. These tokens are stored in a clear text file, which remains until the user logs out and reboots the device. An attacker could exploit this to view and change the user's personal information in the backend cloud service, but would first need to gain physical control of the Android device or compromise it with a malicious app.

Recommendations For versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider regularly logging out of the application and rebooting the device to minimize the persistence of stored OAuth tokens. Restrict access to the device and use caution when installing applications to reduce the risk of compromise.