In present times, having the ability to remotely access your phone or computer can be quite useful. Considering this, it comes as no suprise that apps designed with this feature in mind have become very popular among users, however, in some cases various risks can hide behind the apparent convenience of using such applications.
A mobile security company called Zimperium has discovered a number of major security issues for Airdroid a remote access management tool for Android with over 20 million downloads. Sand Studio the product team behind Airdroid was informed by Zimperium about said vulnerabilities more than six months ago and promised to patch things up with the 4.0 release of the app which was introduced last month. The security company later found out that all of the issues still persisted on version 4.0, so it decided to make it's discoveries public today.
Zimperium's findings highlight how malicious parties can exploit the app's built-in functionalities and use them against users on the same network. Airdroid uses the same encrypted HTTP request to authorize the device and send usage statistics. The key to this encryption is hardcoded into the application, which means that everyone using it has the exact same key. With this key, attackers can intercept the authentication request and gain access to private account information, such as the e-mail address and password associated with the Airdroid account. Moreover, the hackers can also use a similar method to inject any malicious APK by prompting the app to notify the user of a required software update.
It is very unfortunate to see a developer putting profits before people and not focusing on security. While we all hope to see these issues fixed in the next update, it is advisable to stop or at least limit the use of this app until something is done to correct this.
source: Zimperium via Android Police