AirDroid, the popular Android desktop manager, has some pretty nasty security vulnerabilities according to a recent report. Unless you use it on a network you fully trust, you should probably disable or uninstall it until this is patched.


We’ve recommended AirDroid for a long time because it’s a handy way to access everything on your phone remotely when you’re at your desktop. However, according to mobile security company Zimperium, there are some unpatched vulnerabilities that would allow attackers to hijack the communication between your phone and your computer if they’re on the same network. This man-in-the-middle type of attack could let someone steal your email and password for your AirDroid account, or even run malicious code on your device. Attackers can also hijack the update mechanism and replace a new version of AirDroid with their own APK. In short, this is a massive security hole.

The only saving grace here is that the attacker has to be on your network to pull it off. If you live on a farm far from civilization and the only person who connects to your Wi-Fi network are you and your family, you’re probably safe. However, if you live in an apartment complex, or don’t have strong security on your network, you should probably stop using AirDroid until this is fixed. Remember, Wi-Fi networks are trivially easy to break into in most cases. Unless you can verify every person who’s in range of your network, you shouldn’t assume it’s 100% safe from something like this.


According to Zimperium, the developers of AirDroid were notified of this vulnerability on May 24th of 2016 and acknowledged it a few days later. AirDroid has not commented on why there hasn’t been a patch yet, but hopefully the public pressure will convince AirDroid to fix the flaw in their system. Until then, we can’t recommend using it.

Update: AirDroid has responded and says that a patch to address the issue will be rolled out within the next two weeks. You can read a full statement addressing the issue here.

Update 12/09: AirDroid says they’ve resolved the issue in the latest version, which is available now. If you’re an AirDroid user, grab the update at Google Play now. A representative at AirDroid notes, emphasis theirs:

The issue is fixed in the update Along with other security improvements, we have upgraded the communication channels to https and improved the encryption method. Because of AirDroid’s cross-platform nature, it took us sometime to design a customised solution and level up our security in all aspects. We introduced the restructuring coding system into AirDroid4.0 and AirDroid 4.0.0.1 to make sure the compatibility works fine across platforms late in November. After a careful assessment, we started to roll out this update partially earlier this month across clients to make sure a smooth communication is performed well. Now we can finally release this update fully to fix the issue raised as well as make sure our users are better protected. We will keep improving However, we never only scratch the surface when it comes to security. As we are well aware of the evolution speed of cyber attacks, we will keep working on the existing project to improve AirDroid for our users to better protect them from future possible threats. After all, it is always AirDroid’s first priority to look ahead to the rigorousness of cyber security, further refine AirDroid’s functionality for our users and delight their multi-screen lives.


Analysis of multiple vulnerabilities in AirDroid | Zimperium via Android Police

