AirDroid - Multiple Vulnerabilities

Product AirDroid
Severity Medium
CVE Reference None
Type Weak Cryptography

Description

AirDroid is an Android device management software that allows users to perform various tasks on their Android devices from desktop and web clients. Some of the features include the ability to upload and download files from and to the device, remotely send texts, access photos and even mirror the device’s display.

It was discovered that the AirDroid Android application possesses multiple vulnerabilities that could allow an attacker to gain access to a user’s device. The application uses weak encryption to encrypt file paths used by the download functionality of Airdroid as well as sensitive user data sent to and from the device. Additionally, the application sends many requests using HTTP, which contain information needed to gain access to a user’s device.

Impact

An attacker positioned on the same wireless network as an AirDroid user could issue AirDroid commands to the device. Due to the extensive privileges the AirDroid application requests upon install, an attacker could gain access to the user’s personal data, upload and download files to and from the device, read chat logs and much more.

Cause

Lack of encryption used for data in transit by default on local networks and a weak cryptographic implementation for the encryption used to protect AirDroid commands and sensitive user data sent between the device and the Airdroid client.

Interim Workaround:

MWR recommends only using the AirDroid application on trusted networks. Additionally, users should connect via the HTTPS service when using the AirDroid application for devices on the local network. This can be accomplished by visiting the encrypted Lite Mode authentication by browsing to the Android device’s IP address using HTTPS over port 8890. An example is as follows:

https://192.168.1.6:8890

Users could also connect over their device’s mobile connection and connect remotely. This provides HTTPS protection for all sensitive data sent between the user’s device and the web client.

Solution

The vendor has provided the following patch information:

  •    Upgrade to AirDroid version 4.0.0.4

Technical Details

Please refer to the attached advisory above.

Detailed Timeline

Date Summary
05/09/2016 Issue reported to vendor
12/09/2016 Contacted vendor for update. Vendor stated finding was still being verified.
30/09/2016 Attempted contact with vendor.
04/10/2016 Vendor verified vulnerability. Indicated patch was being developed.
28/11/2016 Airdroid 4.0.0.0 tested and verified as vulnerable.
02/12/2016 AirDroid 4.0.0.1 tested and verified as vulnerable
22/12/2016 AirDroid 4.0.0.4 tested and verified as patched.