AirDroid is one of several services that allows Android users to send and receive text messages, as well as transfer files and see notifications, from their computer. By the Google Playstore statistics AirDroid has somewhere between 10 and 50 million installs which does not include installations via APKs available on the Internet.
Security firm Zimperium has performed an analysis of the way AirDroid communicates with other devices and has discovered the app contains a vulnerability that could allow a malicious third-party to execute code on a targeted device.
The report claims that AirDroid relies on an insecure communication method in order to send data that authenticates devices to their statistics servers. This is mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. This request is encrypted but the key is hardcoded into the app itself. What this means is anyone using AirDroid has that same key coded inside his or her app so the attacker can acquire that key.
Attackers on the same network can intercept the authentication request (Man-in-the-middle attack) using the acquired key to retrieve private account information. This includes the email address and password associated with the AirDroid account.
Here’s a quick video that demonstrates the flaw in the code.
If that doesn’t sound very bad, things do get worse. By setting up a transparent proxy an attacker can intercept the network request AirDroid sends to check for add-on updates and modifying the response for a certain line of code, attackers could execute custom code on the device . AirDroid would then notify the user of an add-on update, then download malicious APK and ask the user to accept the installation. This could have severe implications for anyone that uses AirDroid over an insecure WiFi network.
Zimperium notes that AirDroid does rely on secure HTTP API endpoints, but it found other insecure channels are used to perform specific functions in the app.
What’s worse is that the company notified AirDroid of these vulnerabilities on May 24 and AirDroid acknowledged them. The security firm then claims to have closely followed up until AirDroid informed them of the AirDroid 4.0 update which was released last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.
To summarize, attackers on the same network as an AirDroid user can intercept user information so it is recommended that you do not use AirDroid at least on Public networks. Sandbox, the developers behind the app had about seven months to fix the issue and yet have done nothing about it, that’s a shame. Putting users at risk when you’re aware of the flaws.
To be fair, while security flaws such as this one are serious, there is very less chance of you falling victim to an attack done using them. But why take risks right?
Source : Zimperium