Bad news if you have the remote management app AirDroid on your Android device, as it was just found out that there are vulnerabilities within the app that could make users prone to attacks. The mobile security firm Zimperium found these vulnerabilities from the AirDroid app, and said it posed a risk for both data theft and execution of various attacks through remote methods.
AirDroid Remote Management App Full of Security Risks
Zimperium said that AirDroid is sending out authentication information that has a hard-coded key, and people could essentially steal this information via man-in-the-middle style of attacks. If attackers got into this they could end up making add-on updates that are nefarious and malicious in nature. Then that would lead to the permissions for the app being remotely hacked, and the personal information that AirDroid keeps would be in the hands of these man-in-the-middle hackers. This is very bad news for people who use this app because this app is a remote management app, and that makes it more difficult to know if someone is getting into your information.
AirDroid is one of the most popular Android remote management applications, but it is the encryption part that contains the vulnerabilities that make it susceptible to a hacker. AirDroid itself has access to a lot of information on the Android device, such as photos, camera, microphone, text messages, SD card data, call logs, and location information as well as contacts. Literally,every important piece of information stored on your Android device AirDroid has access to, partially because it is a remote management app and partially because those are the permissions this app has. This app can even change network connections, change the system settings, make in-app purchases, and disable the screen lock because it is a remote management app.
AirDroid uses HTTPS connections most of the time, which are encrypted, although there are a few features that only use HTTP connections. When Zimperium looked into the app further the company noted that the encryption key is hard-coded and static, which means it is built into the application and that allows for anyone to get the encryption key. Since 2011, when the app went into the Google Play Store, it has been downloaded more than 20 million times. This does not bode well for Android users since that means millions of users can be affected by the vulnerabilities in the encryption. This also means that millions of unsuspecting Android users are at risk for data theft if they have ever used AirDroid.
There is one vulnerable part of AirDroid which sends information and statistics to a server, but it only does so using DES-encrypted JSON payloads. There are many different identifiers that are sent and this could allow a hacker to decrypt the JSON payload, since the hard-coded encryption key is also get with it. The information that is sent can allow a hacker to pose as the real user and then perform various requests and functions, some of which might be nefarious in nature. There would be no way to know whether this was a hacker getting into the system or the user since it would look identical to the app itself. From there a hacker could install fake updates and then change information to get data sent to another server or login to personal data remotely.
Zimperium claims it told AirDroid back in May about this issue, and it was said that a fix would be coming in an update. An update to AirDroid happened back in November, but no update or fix was made and the vulnerabilities still exist in the app. It was at that point Zimperium decided to go public with the information since it warned the company and it seems the company did nothing to change the vulnerabilities that are putting users at significant risk.
Sand Studio, the company behind AirDroid, did comment saying that there will be an update and fix to this issue in the next couple weeks. The company said that codes needed to be synchronized to all of the devices and platforms before a fix was released, which is why it did not come with the November update of AirDroid. The company told Zimperium the wrong date, as they told Zimperium the date of the new version release instead of the date of the fix release, but there is one coming. Until the fix is released, Zimperium suggests that Android users both disable the app and then delete AirDroid off of their devices. Zimperium says that people should not use the app until the fixes are put into place and the app is updated with the vulnerabilities fixed.