Rather large security hole in Touchdown?

magnavita · November 21st, 2009, 10:36 AM

I think I stumbled upon a rather large security hole in Touchdown and its pin entry.

I have a myTouch with the latest apps and patches on it. Nothing fancy, not rooted.

If, when you get to the pin entry dialog in Touchdown, you simply switch to the phone app, then use the Back button (or Home, then Back...haven't done extensive testing), you're presented your Touchdown home - no pin entry blocking you, even after a fresh powerup.

Is this sort of a known hack around these pin-style apps? Or is this a problem with the way Touchdown's pin entry works?

Either way, a note to the developers is probably warranted? These days, IT depts are getting more and more secure-conscious with powerful phones like this, and may be upset to know that emails and contacts are as insecure as this. It was suggested by my IT dept that I purchase Touchdown a few months ago, and it works great, but this makes me worry.

Rongo · April 1st, 2011, 04:55 PM

can this be reproed over and over?

We've tried this on a couple devices and haven't been able to make this happen.

this is a stock ROM, not rooted device, correct?

Would you please send a mail to support@nitrodesk.com so our support folks can walk you through generating a diagnostics log so that we can see what's happening on your device.

Thanks!

Ron

stevenlong · April 1st, 2011, 05:04 PM

I can't get this to happen on my dell streak.

I have noticed that the pin is cached, or there is some time out value associated with when you enter the pin so that if I return to touchdown with a short period of time I will not get the prompt for a pin.

Rongo · April 1st, 2011, 05:08 PM

right....that's a "time-out" setting that's pushed form Exchange. they admin can say that it will only require the PIN if it's been more than 2 minutes since the data was last accessed, etc.

if anyone else can test the above scenario and report back, please do and let me know what type of device and what version of Android.

Thanks!

AngryHatter · April 1st, 2011, 05:12 PM

Quote:

Originally Posted by Rongo

can this be reproed over and over?

We've tried this on a couple devices and haven't been able to make this happen.

this is a stock ROM, not rooted device, correct?

Would you please send a mail to support@nitrodesk.com so our support folks can walk you through generating a diagnostics log so that we can see what's happening on your device.

Thanks!

Ron

The post is 2 years old?

Yeahha · April 1st, 2011, 05:45 PM

Quote:

Originally Posted by AngryHatter

The post is 2 years old?

We know the devs over at touchdown are on top of their game scouring forums feedback on their app

Rongo · April 1st, 2011, 06:04 PM

yes, it is old, but we had another user report the issue today and referenced this article.

It's been fixed long ago but we just want to be sure. too many folks are relying on TouchDown to leave anything to chance.

Football Fans: Download the 2012 Schedule App from Google Play!