AirDroid is an Android app that – according to the Play Store listing – millions of users have used in order to control their Android device from their computer, so long as they’re on the same local network. AirDroid allows users to send files to and from their phones, handy for those times when you can’t find a cable, and it also allows users to install, uninstall apps as well as send SMS messages from their computers – regardless of platform. It’s all pretty convenient, really, until we take into account the fact that researchers have found AirDroid to be fairly unsafe at the moment, thanks to a number of vulnerabilities.
Researchers from Zimperium have found that the way in which AirDroid communicates over the network is fairly unsafe. To authenticate and verify the device on the network, the app does use encrypted keys, using a DES method, but the code on the app side of things is coded into the app itself, which means that this code never changes and is easy to find out should an attacker look to take things into their own hands. The blog post – sourced below – goes on to describe how simple it would be to intercept the transmission over a local network to easily run custom code on a user’s phone. Considering that AirDroid offers up so many different features, it would be super-easy for an attacked to install a custom APK using this method, as well as intercept all kinds of other traffic, too. This is all down to the fact that AirDroid doesn’t secure all traffic over the network, which is something that would instantly turn a lot of users off no doubt.
While the source goes on to say that a user would have to use a MITM network attack, and thus have some sort of specialist knowledge, it doesn’t appear all that difficult to take advantage of a user running AirDroid on their network. The blog post has been updated a number of times, and it appears as though – at the time of writing – there is no fix for this, which means those using AirDroid should definitely stop using it, and uninstall it from their phone. After all, the convenience of such an app might be nice, but there’s no need to put your phone, your data and your peace of mind at risk for such a convenience.