A race condition in Sophos Secure Workspace for Android was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed. There is no action required for customers, as updates are installed automatically by default.
Sophos would like to thank Christian Niel Angel for responsibly disclosing the issues to Sophos.
The remediation prevented a local attacker to bypass the app password. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
Applies to the following Sophos product(s) and version(s)
Sophos Secure Workspace for Android prior version 9.7.3115
Fix included in Sophos Secure Workspace 9.7.3115 on September 27, 2021
Additionally, Sophos recommends that Sophos Secure Workspace customers upgrade to the latest available release