Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings (androidpolice.com)

Posted by BeauHD on from the man-in-the-middle dept.

AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user's device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid. Android Police reports: The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network an intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation. Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.

14 of 30 comments (clear)

  1. KDE connect doesn't suffer from this by NotInHere · · Score: 4, Informative

    If you are a KDE user, you might want to try KDE connect. It uses TLS and therefore shouldn't have that particular vulnerability:https://albertvaka.wordpress.com/2016/08/26/kde-connect-1-0-is-here/

  2. Re:I never got the hang of this "app" stuff. by unixisc · · Score: 1

    You are just talking file transfers and messaging, but there are a wide variety of other apps. Be it banking apps, which among other things allow you to deposit a check, or video calling apps, or VOIP apps, barcode reader apps or things like Uber and AirBnB.

  3. What is KDE Connect? by drainbramage · · Score: 2

    Been using KDE for years, had not heard of KDE Connect. So thank you!
    Per their site https://community.kde.org/KDEC...
    KDE Connect is a project that aims to communicate all your devices. For example, with KDE Connect you can receive your phone notifications on your computer, or just use your phone as a remote control for your desktop. To achieve this, KDE Connect implements a secure communication protocol over the network, and allows any developer to create plugins on top of it. Currently there are KDE Connect clients on KDE, Android and Blackberry, and soon we will support iPhone as well.

    --
    No brain, no pain.
    1. Re:What is KDE Connect? by esperto · · Score: 1

      KDE connect to me was very useful when my HTPC keyboard died, I used my Nexus 10 as a keyboard/remote control.
      It also integrates with amarok so you can control the music, shows messages as notifications on the desktop and can even transfer files (although this works only sometimes with me).

    2. Re: What is KDE Connect? by BronsCon · · Score: 1

      When you mount as a regular flash drive, the disk must first be unmounted by the phone; Android used to have it as an option (and some manufacturers hack it back into their ROMs), but it does necessitate closing any apps which are currently running off the disk and does prevent any apps which are using that disk from continuing to do so until you unmount it from your computer.

      Yes, this does affect Blackberry as well. You simply can not have two devices directly accessing the same filesystem on the same disk; at least, not with any filesystem supported natively by Windows or OS X. It has certainly affected every Blackberry I ever owned; and I've been using them since long before they included a built-in SMB server.

      Additionally, as most Android phones now use EXT-based filesystems (most commonly EXT4, but also often EXT2), your typical Windows PC or Mac wouldn't be able to mount them anyway.

      MTP gets around both of those issues; though it does bring about its own flavor of suck, so I don't use it. I do, however, run an SMB server when I need to sync files.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  4. Linux alternatives by Nunya666 · · Score: 1

    For notifications, try linconnect: https://github.com/hauckwill/l...

    For file transfers, try DavDrive Lite: https://play.google.com/store/...

    Although DavDrive says it is only supported on Ubuntu, I have used it on several rpm-based distros.

  5. Re:I never got the hang of this "app" stuff. by peragrin · · Score: 1

    On my iPhone I use an app called file explorer. When I launch the app I can then activates an https WebDAV server that allows downloading of iPhone image and music files. Primarily I use it as a quick way to upload images from my phone to my work without having a regular connection. At home I have Dropbox intergration on both my laptop and NAS.

    On a byod environment you need to shuffle files and may not always have a USB drive on you

    --
    i thought once I was found, but it was only a dream.
  6. Re: I never got the hang of this "app" stuff. by MrNaz · · Score: 1

    They're not useful unless you leave your basement. Then things like airport flightboard feeds, using your phone's NFC as a tap and pay debit card, and providing users with remote support from any android device becomes useful.

    --
    I hate printers.
  7. Re:it's a phone by gweilo8888 · · Score: 1

    I'm sure you're still railing against the horse and cart too, never mind these new-fangled automobillies, right?

  8. Re: I never got the hang of this "app" stuff. by BronsCon · · Score: 1

    Why, yes, every time you have food delivered to your mother's basement, you are also a surveillance victim. Oh, and if you think Mom isn't rummaging through your shit while you sleep, you're fooling yourself. She knows all about your hentai collections, it disgusts her, and she hasn't decided whether or not she should bring it up.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  9. Re:Another day another android vulnerability by BronsCon · · Score: 2

    You do realize that AirDroid it an app, right? As in, not part of Android, but something a third party wrote that some people install, not something that comes bundled as part of the OS. To clarify, it's not Android. Care to try that again?

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  10. Re:Network vs AirDroid... by WillyWanker · · Score: 1

    Exactly the first thought that crossed my mind. I'm so sick of all these stupid the-sky-is-falling "security alerts" that essentially require the attacker to be sitting next to you at the computer.

    NO ONE CARES. JUST STOP.

  11. Re: I never got the hang of this "app" stuff. by BronsCon · · Score: 1

    At least you know who your daddy is, Son. Usually, you dumb kids take a while longer to learn who your superiors are.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  12. Re: I never got the hang of this "app" stuff. by BronsCon · · Score: 1

    Quite often, that's how adoption works, don'cha know?

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.