At least 10 million Android users are vulnerable to dangerous Man-in-the-middle attacks due to several vulnerabilities in the popular AirDroid app.
AirDroid Discovered To Host Multiple Security Flaws
The popular Android app AirDroid which is used for file transfer and messaging through a wireless computer connection has been identified to host multiple security vulnerabilities. As this is one of the most popular applications of its type researchers estimate that at least 10 Million users are impacted. The discovery was done by a team from Zimpedium, a mobile security company, that released details about the flaws. They allow remote attackers to execute dangerous man-in-the-middle attacks that can extract user information and execute arbitrary code on the affected devices. This is achieved by exploiting several built-in features of the mobile app.
The Android AirDroid Vulnerability Details
The security experts discovered that the mobile app relies on insecure communication channels to transfer the data which is used to authenticate device. The requests are encrypted using the DES cipher however the encryption key is hardcoded to the application itself which makes it known to the attackers. What this means is that any malicious parties that are connected on the same network as the target device can execute various man-in-the-middle attacks to obtain the authentication tokens and impersonate the device owners. The hackers can use the network request that are used for update checking to inject any APK thereby installing other malware threats at will.
The experts recommend the following steps to mitigate the threat:
- Use only secure communication channels ( HTTPS )
- Verify the remote public key ( key pinning ) in order to avoid SSL MITM
- For additional encryption, use safe key exchange mechanisms such as Diffie-Hellman instead of hardcoded encryption keys inside the app
- Leverage and verify digital signatures for update files
In addition it is highly recommended that everyone use trusted mobile threat protection solutions and disable or uninstall until a relevant security update is issued by the AirDroid developers.
For more information you can read the full analysis which is available on Zimperium’s blog.
AirDroid Patched The Critical Flaw
The Airdroid security team has started working on a security update shortly after Zimpedium publicly disclosed the critical vulnerability. In version 4.0.3 the company has stopped the support of older versions altogether and has updated the software. The company has stated that they have switched the communication channel to https and improved the used encryption method.
Due to the cross-platform nature of the application the patch was delayed until it was complete. Researchers from Zimpedium have tested the new version and concluded that the software fixes the main remote code execution vulnerability.