Android vulnerability where an incorrect SSL certificate is displayed


Android OS contains a vulnerability where an incorrect SSL certificate is displayed.

Android OS contains a vulnerability where a SSL certificate from an outside site is displayed when a user attempts to display a SSL certificate from a site that reads in contents from an outside site.

Shuhei Ohtani of Business information govern CO., LTD reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • Android OS versions prior to 2.2


An attacker may trick the user into believing the site being visited is safe, which may lead to phishing attacks.

[For Mobile Device Developers]
Apply the update according to the information provided by Google.

[For Mobile Device Users]
For more information, please refer to the "Vendor Information" below.

This issue has been resolved in Android OS 2.2.
Vendor Information

Google Panasonic Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-4832

  1. JVN : JVN#43105011
  2. National Vulnerability Database (NVD) : CVE-2010-4832
  3. Related document : b/2511635 Browser displays incorrect SSL cert information
Revision History

  • [2011/07/29]
      Web page published
      Vendor Information : Panasonic (Software Download)
      References : Contents were added