CVE-2020-35137

Name of the Vulnerable Software and Affected Versions: MobileIron agents through 2021-03-22 for Android and iOS

Description: The issue concerns a hardcoded API key used for communication with the MobileIron SaaS discovery API. This key is found in the com/mobileiron/registration/RegisterActivity.java file and can be utilized for "api/v1/gateway/customers/servers" requests. It is noted that this feature is opt-in, not enabled by default, and requires an explicit email to support for activation. The vendor currently does not plan to make changes to this feature.

Recommendations: For MobileIron agents through 2021-03-22 for Android and iOS, consider disabling the opt-in feature that utilizes the hardcoded API key until further guidance is provided by the vendor. Restrict access to the "api/v1/gateway/customers/servers" endpoint to minimize the risk of exploitation. Avoid using the feature without explicit support activation to prevent potential issues. At the moment, there is no information about a newer version that contains a fix for this issue.