Platform
android
Component
halo-home-android-app
Fixed in
1.11.1
CVE-2019-5625 affects the Halo Home Android application prior to version 1.11.0. This vulnerability involves the insecure storage of OAuth authentication and refresh access tokens in a cleartext file on the device. An attacker gaining physical access or compromising the device could potentially leverage these tokens to impersonate a legitimate user and access their personal information stored in the backend cloud service.
The primary impact of CVE-2019-5625 is unauthorized access to a user's Halo Home account and associated data. An attacker with physical access to the device or the ability to install a malicious application could extract the cleartext OAuth tokens. With these tokens, the attacker could then impersonate the user, viewing and modifying their settings, potentially controlling connected smart home devices. The blast radius is limited to the individual user's account and associated devices, but the potential for privacy breaches and unauthorized control is significant. This vulnerability highlights the importance of secure storage of sensitive credentials on mobile devices.
CVE-2019-5625 was publicly disclosed on May 22, 2019. There are no known active campaigns exploiting this specific vulnerability. Public proof-of-concept code is not widely available, likely due to the requirement for physical device access. The vulnerability's low CVSS score reflects the need for physical access, limiting its immediate exploitability. It was not added to the CISA KEV catalog.
Exploit Status
EPSS
0.08% (24% percentile)
CVSS Vector
The primary mitigation for CVE-2019-5625 is to upgrade the Halo Home Android application to version 1.11.0 or later. This version addresses the insecure storage of OAuth tokens. As a temporary workaround, users can manually log out of the application and reboot their device to clear the stored tokens, although this is not a complete solution. Consider implementing device lock policies and enabling two-factor authentication on the Halo Home account to add an additional layer of security. Regularly review app permissions granted to the Halo Home application.
Update the Halo Home application to version 1.11.0 or later from the Android app store. This version fixes the insecure storage of OAuth tokens. As an additional measure, consider logging out of the application and rebooting the device to remove any previously stored tokens.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-5625 is a vulnerability in the Halo Home Android app where OAuth tokens are stored in a cleartext file, potentially allowing unauthorized access to user accounts.
You are affected if you are using a version of the Halo Home Android app prior to 1.11.0. Upgrade to the latest version to resolve the issue.
Upgrade the Halo Home Android app to version 1.11.0 or later. As a temporary measure, log out and reboot your device.
There are no known active campaigns exploiting CVE-2019-5625, but the vulnerability remains a risk if the app is not updated.
Refer to the Halo Home security advisory published on May 22, 2019, for details on the vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your build.gradle file and we'll tell you instantly if you're affected.