Android apps based on Adobe AIR SDK send out unencrypted data
Developers using the Adobe AIR SDK should update to the latest version of the software development kit and rebuild the apps as soon as possible if they don’t want their users’ traffic being exposed to attackers.
The flaw, discovered by Nightwatch Cybersecurity researchers while monitoring network traffic during testing of some Android applications, directs runtime analytics for AIR applications to several Adobe servers. Unfortunately, that traffic is unencrypted.
“Because encryption is not used, this would allow a network-level attacker to observe the traffic and compromise the privacy of the applications’ users,” the researchers noted.
The bug affects all Android apps compiled with the Adobe AIR SDK versions 22.0.0.153 and earlier.
Adobe has been appraised of the issue in June, and has released v23.0.0.257 of Adobe Air SDK & Compiler, which plugs the hole, on Tuesday.
Even though the issue is not critical, Adobe has encouraged developers to recompile captive runtime bundles after applying this update.