CVE-2020-35138

Name of the Vulnerable Software and Affected Versions: MobileIron agents through 2021-03-22 for Android and iOS

Description: The issue concerns a hardcoded encryption key used to encrypt username and password details during the authentication process. This key is located in the com/mobileiron/common/utils/C4928m.java file. It has been noted that there is no connection between credential encryption and the Man-in-the-Middle (MiTM) attack.

Recommendations: For MobileIron agents through 2021-03-22 for Android and iOS, consider updating to a version released after 2021-03-22 to ensure the removal of the hardcoded encryption key. As a temporary workaround, restrict access to sensitive authentication processes until a patch is available. Avoid using the affected MobileIron agents for sensitive transactions until the issue is resolved.