Skip to main content

Use of Hard-coded Credentials


Severity High
Score 9.8/10


The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/ file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack

  • LOW
  • HIGH
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-798 - Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.


Advisory Timeline

  • Published