Anyone using the remote maintenance app AirDroid with an Android terminal in a public WLAN, for example, can open the door to attackers.

In the update process of the Android app Air Droid gapes a dangerous vulnerability, warn security researchers of Zimperium. According to Google Play, the app is installed on at least 10 million devices.

However in order for an overlap to occur, an attacker must be in the same local network with a targeted victim. If this is the case, he can cheat the victim under certain circumstances to hijack the Android device. It also allows attackers to read information such as the IMEI and IMSI.

This is, of course, dangerous. However, if you use AirDroid exclusively in it networks, which are known to the intruders, it should be on the safe side. The developers of AirDroid know about the problem since May, explain the security researchers. At the end of November, two new versions were released, but Zimperium still shows the vulnerability in the current issue 4.0.1.

According to security researchers, AirDroid communicates mostly encrypted via HTTPS. However, in some situations the app is supposed to encrypt data using the data encryption standard (DES), which has long been considered insecure, and send it via HTTP. The key length of DES is usually only 56 bits.

Attackers do not have to bother to crack the key, because this is hard coded in AirDroid and moreover static. According to Zimperium, the key can be read out comparatively simply.

Safety tips

Through the compromised update process, attackers could subdue fake updates and get higher rights on the smartphone, warning the security researchers. The cheering of fake updates should work, because AirDroid does not check who has built up updates and is running them immediately.





Cimperium gives the AirDroid developers a few more security tips: they recommend stringent to set HTTPS. To prevent man-in-the-middle attacks, public key pinning can be helpful. For a secure key exchange, they recommend Diffie Hellman. In addition, a signature signature should take place before installing an update.