AirDroid is one of the treasures of the Android world, a product of the platform’s more open nature. In a nutshell, it allowed Android users to control their devices from a web browser, to send or read messages, manage files, or even mirror the device’s screen. That power, however, has apparently come at a price. Although AirDroid has existed for years now, it was only earlier this year that mobile security researchers at Zimperium discovered some rather serious security holes in its implementation, potentially giving hackers nearly limitless access to the owner’s information and device.
At the heart of the matter is AirDroid’s rather lax security implementation in communicating with its servers both to authenticate users as well as in checking for updates. When it does so, it sends an encrypted packet containing the user’s e-mail address and password. However, the encryption keys are hardcoded into the app and is the same for all installs of AirDroid. This means that even the greenest of hackers will be able to extract that key to decrypt that information and gain access to the user’s authentication details. Given how users often reuse passwords, that’s pretty much a skeleton key to the user’s digital life.
Even worse is the fact that hackers can dupe AirDroid’s own app to get users to install malicious apps. Hackers can use a common Man In The Middle attack when the app checks for updates from the server. It will masquerade as an update but inject a malicious APK instead. AirDroid will notify the user of an update which the unsuspecting user then installs, trusting AirDroid.
The developers at AirDroid responded with a now much criticized blog post, both explaining the matter and seemingly downplaying its implications. They reassure users that the exploits can really only happen when connecting to a public network. Private home networks are safe, but that’s only by virtue of the fact that there isn’t anyone else connected to that network. At least none that you might know of.
AirDroid also promises a fix is on the way soon, but that would actually be a second fix. Zimperium reported the vulnerability to AirDroid back in May and got a promise to get it fixed. Supposedly, that took place with the launch of AirDroid 4.0. Sadly, that isn’t the case, prompting Zimperium to go public with the issue. A real fix hasn’t been made available yet.
Many of AirDroid’s users have called for a boycott of the app, though, sadly, there doesn’t seem to be an alternative that can replace it all in one app or service. PushBullet and Joaomgcd’s Join, for example, can only do notifications and messaging while Koushik “Koush” Dutta’s Vysor does remote screen mirroring and control. Neither, however, can do all at the same time.