Alta Video — 1655: iOS mobile app allowed HTTP via insecure App Transport Security configuration

Release Date

10th February 2025.

Overview

A vulnerability was discovered in the Alta Video iOS application's App Transport Security (ATS) configuration, permitting insecure HTTP connections. This allowed arbitrary domains to communicate via HTTP, opening up the possibility of a man-in-the-middle attack.

Affected Products

• Alta Video:
• Android app versions before 3.9.0.
• iOS app versions before 3.9.0.

Unaffected Products

• Alta Video:
• All Android app versions after and including 3.9.0.
• All iOS app versions after and including 3.9.0.
• All Web client versions
• Avigilon Cloud-Native Cameras: all versions.
• Alta Video Cloud: all versions.

Resolution

This issue has been fixed in version 3.9.0 of the Alta Video Android & iOS mobile apps.

It is *strongly recommended* that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the Google Play Store or the App Store.

Vulnerability Information

• CVSSv3 score: 5.6 (Medium)
• CVSSv3 vector: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Alta Video.

Disclosure Timeline

• 05/10/2024 Issue found
• 07/10/2024 Root cause established
• 07/10/2024 Fix identified
• 10/12/2024 Patched versions of the Android & iOS apps released
• 10/02/2025 Vulnerability publicly disclosed