After no response from the vendor after six months, a security researcher disclosed a dangerous flaw.
After no response from the vendor after six months, a security researcher disclosed a dangerous flaw.
Owing to insecure communication channels, the Android app AirDroid may put its 50M users at risk of man-in-the-middle attack, data exposure and loss of control to remote attackers, according to a new report from Zimperium zLabs.

"AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server," wrote Simone Margaritelli, security researcher at Zimperium zLabs, and author of the report. The requests are encrypted with DES (ECB mode), he explained, but the encryption key is hardcoded inside the application itself, thereby exposing it to attackers. An intruder scanning the network has visibility into a target device and so can launch MITM attacks to siphon off authentication credentials, which are displayed in the “Details” section from the very first HTTP request the application performs. Once the attacker acquires this data, they can assume the actual owner's identity and send off further requests.

Beyond information leakage, the exploit can also enable the remote hijacking of update APK. This could allow remote code execution by attackers, Margaritelli wrote. The cyberthief achieves this by exploiting the app's built-in functionalities and uses them against its users, he said.

The exploit is potentially dangerous as the user base for AirDroid, a remote management tool for Android, is estimated at more than 50 million devices, according to the Google Play Store.

To avoid this security infraction, Margaritelli advised users to use only secure communication channels (HTTPS); verify the remote public key (key pinning) in order to avoid SSL MITM; and leverage and verify digital signatures for update files. For added encryption protection, he suggested that device owners use safe key exchange mechanisms, such as Diffie-Hellman, instead of hardcoded encryption keys inside the app.

In an email exchange on Friday with SC Media, Margaritelli said he had alerted the vendor in May about this vulnerability and multiple times after that. While he expected the app developer to issue a patch, after six months still nothing happened. The vendor released version 4.0.0 and then 4.0.1, he told SC, but still no security released fix was issued. That's when he issued his disclosure.

"A surface attack of 10M to 50M users is quite unique," he explained. "Moreover, this is a RCE vulnerability, which means an attacker has total control over the targeted devices remotely."

As to whether he's seen an attack like this previously, Margaritelli said it's similar to other vulnerabilities, such as the SwiftKey one. But, even though it's similar to previous attacks, that only reinforces the need for vendors to build in better security. 

"Vendors should definitely be more serious about security, especially if they have such a big user base," Margaritelli said.

Until a fix is made available, he recommended users uninstall or disable AirDroid.


UPDATE: On Monday morning, Dec. 5, Betty Chen, chief marketing officer at AirDroid, Sand Studio, told SC Media that the company does plan to issue an update. 

"We are indeed working on the solution and it should be expected to start to roll out within next two weeks," Chen wrote in an emailed response.

"Due to the complexity of coding for a cross-screen management application like us, we require a complete sync systematic coding across clients and server to ensure best possible experience for our users during this transition time, as the amendment will not be fully compatible with the previous versions," Chen explained. 

She said she believes there was a miscommunication between AirDroid and Zimperium. "One of our developers was contacted by Zimperium in May and we did take an immediate reaction and start working on the best solution we can find to solve the possible issue. However, the date we gave out was the time we planned to release our mobile (AirDroid 4.0) with some related implementation, which caused the misunderstanding," Chen told SC Media.

The firm did publish a mobile update (AirDroid 4.0) late in November. "While we still need to wait for the optimization complete across clients before we can release the cross-clients encrypt solution, we carefully measure the feasibility on mobile client AirDroid 4.0, and it works perfectly!," she wrote.

"With this successful release, we will be able to proceed further with other system programming on other clients and server ends and looking at start to roll out the solution in two weeks."

Security is always on top of AirDroid's priorities, Chen said. "There is no way we would compromise the security of our users, but it did take our team some time to work on a better multi-clients solution as not many app have done quite so before."