AirDroid Hole Affects Android Users

Monday, December 5, 2016 @ 01:12 PM gHale

AirDroid, a remote management tool for Android, is vulnerable to man-in-the-middle (MitM) attacks that could lead to data theft.

Attacks can occur when users find themselves on the same unsecured network as the attacker, said researchers at security provider Zimperium. AirDroid has an estimated user base of over 50 million devices, according to the Google Play Store.

Android Attacks Set to Rise: Report
Steal a Tesla Using an Android App
Android Devices Suffer from OTA Hole
Google Patches Android Holes

“AirDroid relies on secure HTTPS API endpoints for most of its functionalities, but during our analysis we’ve found that other insecure channels are used for specific tasks,” said Simone Margaritelli, security researcher at Zimperium zLabs in a blog post.

The apps send statistics to the app developers’ servers over HTTP, but uses a minimal layer of security to protect the data: A symmetric encryption scheme called DES.

“A malicious party could perform a MitM network attack and grab the device authentication information (…) from the very first HTTP request the application performs,” Margaritelli said.

“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.”

In addition to this, the attackers could also redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and plant a malicious update for it to use. The app does not verify if the served update is legitimate.

Zimperium notified the app’s developers of these vulnerabilities, but even though they acknowledged the results, never versions of the app are still vulnerable.

This failure to secure the app has prompted the researchers to share the knowledge publicly, and they have also provided PoC modules to demonstrate the information leak and remote code execution flaws.

The researchers advise users to uninstall or disable AirDroid until a fix for these issues is available.

Leave a Reply

You must be logged in to post a comment.