News: MitM Vulnerability in Android Phones
Yes, that’s a big ouch.
Here’s a simplified (it’s just to give a general idea folks, not meant to be a legit) example:
1. I take a router that I’ve configured to impersonate a valid router in the environment.
2. I stick a self-generated SSL certificate.
3. I push out an Exchange device wipe command from the fake router to devices that connect to the fake.
4. User cries.
Granted, IRL things are more complicated but it’s embarrassing that such an attempt with fake certs even works. Pay attention to your connections, watch out for self-signed certs, and bug someone to fix this.
PS: Apple users, don’t gloat, iOS was also stung by this. WP was the only one immune. Double ouch.