Published: 2018/05/11  Last Updated: 2018/05/11

Information from Internet Initiative Japan Inc.

Vulnerability ID:JVN#27137002
Title:IIJ SmartKey App for Android vulnerable to authentication bypass

This is a statement from the vendor itself with no modification by JPCERT/CC.

* Affected Version

- IIJ SmartKey for Android 1.0.0 - 2.1.0

(*) NOT affect to IIJ SmartKey for iOS

* Inpact
A user, who does not unlock an application locking and do certain operations, can watch a TOTP one time password.

* Solution
IIJ release fixed version of IIJ SmartKey for Android.
Please update IIJ SmartKey for Android to following version, or newer.

- IIJ SmartKey for Android 2.1.1

(*) NOT require to update IIJ SmartKey for iOS

* Avoid by setting
Please lock your Android device.