Ava-725: Ava Aware iOS app accepts self-signed SSL certificates for WebSocket connections

Release Date

13th January 2023.

Overview

If the iOS app detects that a deployment is using an untrusted SSL certificate, the user is warned and the certificate signature is trusted only if the user accepts the risk. However this protection is only enforced by HTTP requests and not by WebSocket connections, leaving the app vulnerable to man-in-the-middle attacks on those connections.

Affected Products

• Ava Aware:
  • All versions of the iOS app before 2.11.0.

Unaffected Products

• Ava Aware:
  • All versions of the iOS app after and including 2.11.0.
  • All versions of the Android and web clients.
• Ava Cameras: all versions.
• Ava Cloud: all versions.

Resolution

This issue has been fixed in the Ava Aware iOS App 2.11.0.

It is highly recommended that all users on running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through TestFlight or the App Store.

Vulnerability Information

• CVE: pending
• CVSSv3 score: 7.5 (High)
• CVSSv3 vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/11/2022 Issue found internally by Ava Security
• 17/11/2022 Root cause established
• 17/11/2022 Fix identified
• 13/01/2023 The 2.11.0 iOS app was released on the App Store
• 19/01/2023 Vulnerability publicly disclosed