A Mobile security team called Zimperium has discovered major security issues in an app called Airdroid, a popular Android app that lets you manage your mobile device wirelessly.
Airdroid Has Security Vulnerabilities
Airdroid is one of the many apps that lets Android users exchange text messages, transfer files and see notifications from their computer as well. According to Google Playstore, Airdroid has around 50 million downloads, and now the app has been found to have vulnerabilities in it which allow attackers to access your information and even execute code on a user’s phone.
Zimperium informed Sand Studio, the developer team behind Airdroid about the discovered vulnerabilities more than six months ago and Sand Stone promised to fix this security issue through patches in their updates.
Zimperium later found out upon checking again that the issues still existed in the latest version of the app.
How the App Makes You Vulnerable
This issue arose due to Airdroid using the same HTTP request to authorize the device and send usage statistics. This allows malicious parties to exploit the app’s built in functionalities and use them against users of the same network.
The key to this encryption is hardcorded into the application, meaning that everyone using the app has the same key. Through this key, attackers on the same network can intercept the authentication request (commonly known as the Man-in-the-middle attack) using the key extracted from any Airdroid APK (application package) and gain access to private account information, such as the email address and password associated with your Airdroid account.
Moreover, attackers using a transparent proxy can also intercept the network request Airdroid sends to check for add-on updates, and inject any APK they want. Airdroid would then notify the user about the add-on update and begin downloading the malicious APK and ask the user to accept the installation afterwards, leaving your device open to malicious applications and even more attacks.