AirDroid Vulnerabilities Pose Huge Security Risks, Disable Them Now [updated]
According to a recent report by AirDroid, the popular Android desktop manager has some pretty nasty vulnerabilities. If you are not using it on a fully trusted network, you should probably disable or uninstall it until it is fixed.
We’ve long been recommending AirDroid because it’s a convenient way to remotely access everything on your phone while you’re on your desktop. However, according to mobile security company Zimperium, there are several insecure vulnerabilities that could allow attackers to intercept communications between your phone and your computer if they are on the same network. A man-in-the-middle attack could allow someone to steal your email address and password for your AirDroid account, or even run malicious code on your device. Attackers can also hijack the update mechanism and replace the new AirDroid version with their own APK. In short, this is a huge security hole.
The only salvation here is that an attacker must be on your network to do this. If you live on a farm far from civilization and only you and your family are connected to your Wi-Fi network, you are probably safe. However, if you live in an apartment building or don’t have a solid security system on your network, you should probably stop using AirDroid until it’s fixed. Remember, Wi-Fi networks are easy to hack in most cases. If you can’t verify every person in your network’s coverage area, you shouldn’t assume that they are 100% safe from something like this.
According to Zimperium, AirDroid developers were notified of this vulnerability on May 24, 2016 and acknowledged it a few days later. AirDroid hasn’t commented on why there hasn’t been a patch yet, but hopefully public pressure will convince AirDroid to fix a bug on its system. Until then, we cannot recommend using it.
Update: AirDroid has responded and reports that a patch to address this issue will be released within the next two weeks. You can read the full statement on this issue here .
Update 12/09 : AirDroid reports that the issue has been fixed in the latest version available. If you are an AirDroid user, download the update from Google Play now . An AirDroid spokesperson emphasizes:
The problem is fixed in the update
Along with other security improvements, we have updated communication channels to https and improved the encryption method .
Due to the cross-platform nature of AirDroid, it took us a while to develop a custom solution and improve our security in all aspects. At the end of November, we introduced a restructuring coding system in AirDroid4.0 and AirDroid 4.0.0.1 to ensure compatibility across all platforms is working fine. After careful evaluation, we began partial rollout of this update earlier this month to customers to ensure seamless communication. We are now finally able to fully release this update to fix this issue and to provide better protection for our users.
We will keep getting better
However, when it comes to security, we never touch on only superficial information. Since we are well aware of the speed of cyberattacks, we will continue to work on an existing project to improve AirDroid for our users to better protect them from potential threats in the future.
At the end of the day, AirDroid’s top priority is always to ensure strict cybersecurity, to further improve AirDroid functionality for our users, and to enjoy their multi-screen life.
AirDroid Multiple Vulnerability Analysis | Zimperium via Android Police