AirDroid is an Android device management software that allows users to perform various tasks on their Android devices from desktop and web clients. Some of the features include the ability to upload and download files from and to the device, remotely send texts, access photos and even mirror the device’s display.
It was discovered that the AirDroid Android application possesses multiple vulnerabilities that could allow an attacker to gain access to a user’s device. The application uses weak encryption to encrypt file paths used by the download functionality of Airdroid as well as sensitive user data sent to and from the device. Additionally, the application sends many requests using HTTP, which contain information needed to gain access to a user’s device.
An attacker positioned on the same wireless network as an AirDroid user could issue AirDroid commands to the device. Due to the extensive privileges the AirDroid application requests upon install, an attacker could gain access to the user’s personal data, upload and download files to and from the device, read chat logs and much more.
Lack of encryption used for data in transit by default on local networks and a weak cryptographic implementation for the encryption used to protect AirDroid commands and sensitive user data sent between the device and the Airdroid client.
MWR recommends only using the AirDroid application on trusted networks. Additionally, users should connect via the HTTPS service when using the AirDroid application for devices on the local network. This can be accomplished by visiting the encrypted Lite Mode authentication by browsing to the Android device’s IP address using HTTPS over port 8890. An example is as follows:
Users could also connect over their device’s mobile connection and connect remotely. This provides HTTPS protection for all sensitive data sent between the user’s device and the web client.
The vendor has provided the following patch information:
Please refer to the attached advisory above.
|05/09/2016||Issue reported to vendor|
|12/09/2016||Contacted vendor for update. Vendor stated finding was still being verified.|
|30/09/2016||Attempted contact with vendor.|
|04/10/2016||Vendor verified vulnerability. Indicated patch was being developed.|
|28/11/2016||Airdroid 220.127.116.11 tested and verified as vulnerable.|
|02/12/2016||AirDroid 18.104.22.168 tested and verified as vulnerable|
|22/12/2016||AirDroid 22.214.171.124 tested and verified as patched.|