Two security researchers has analyzed adobe’s sdk’s

During a security audit of Audible’s application
a in proper call using Adobe’s SDK(software development kit).
The app has a missing TLS Certificate validation.
The vulnerability has been given the CVE of CVE-2019–11554.

Explanation of the vulnerability

The security researchers was able to find an insecure default configuration
file that defaults the ssl variables that lets the requests
go over https
while analyzing Adobe’s SDK default configuration files.

{
  "analytics": {
    ...
    "ssl": false,
    ...
  },
  "messages": [
    {
      ...
      "payload": {
        "templateurl": "http://example.com/subscriptions/{%mcid%}",
        ...
      },
      ...

Adobe has been notified about this issue and resolved it. When using Adobe’s SDK that was created as api’s for mobile development.

If you want to scan your configuration files a public tool there is one available on github: https://github.com/nightwatchcybersecurity/truegaze
Audible is the first application that was made public that was
affected, the exact number for the amount of applications that
where affected is still unknown.

Using this default configuration while building mobile applications is
an easy way to expose sensitive details being sent to the vendor
software provider, such as credit card and person
identifiable information.

If you are developing an mobile application using Adobe’s SDK
we recommend that you update to the latest version.

External links:

adobe.com
the register adobe sdk flaw
https://github.com/nightwatchcybersecurity/truegaze
Nightwatch Cybersecurity
adobe.com acrobat
Pankaj Upadhyay writeup
CVE-2019-11554

If you are using an rss reader you can subscribe to the blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml