Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.
According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.
AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.
The app, developed by an outfit called Sand Studio, has been in the Google Play store since 2011 and, according to its developers, has more than 20 million downloads.
While AirDroid uses encrypted HTTPS connections for most of its features, some functionality sends data to remote servers over plain HTTP, the Zimperium researchers said in a blog post. The developers attempted to secure this data using the Data Encryption Standard (DES), but the encryption key is static and hard-coded into the application itself, meaning that anyone can retrieve it, the researchers said.
One vulnerable feature involves the collection of statistics, which are sent by the app to a server using DES-encrypted JSON payloads. These payloads include identifiers such as the account_id, androidid, device_id, IMEI, IMSI, logic_key and unique_id.
A hacker in a position to intercept user traffic on a network could sniff AirDroid requests to the statistics-gathering server and use the hard-coded encryption key to decrypt the JSON payload. The account- and device-identifying information inside can then be used to impersonate the device to other servers accessed by the app.
"Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints," the Zimperium researchers said.
For example, a man-in-the-middle attacker could redirect requests to the server used to check for AirDroid plug-in updates and then inject a fake update into the response. The user would be notified that an update is available and would likely install it, giving the malicious code access to AirDroid's permissions.
The Zimperium researchers claim that they notified the AirDroid developers about the problem in May and were informed in September about an upcoming update. New versions of AirDroid, 4.0.0 and 4.0.1, were released in November, but they're still vulnerable, according to Zimperium, so the researchers decided to make the vulnerability public.
An update that will fix this issue is expected to start rolling out within the next two weeks, said Betty Chen, chief marketing officer of Sand Studio, via email. The "boutique" development team needed time to develop the solution and synchronize the code of all its clients for different platforms and servers before starting to deploy the new encryption solution, which is not compatible with previous versions, she said.
There was some miscommunication, as the date the company gave out to Zimperium was for the release of AirDroid 4.0, which makes some related changes, but not the actual fix.
This is not the first time a serious vulnerability has been found in AirDroid. In April 2015, a researcher found that he could take over an Android device with AirDroid installed by simply sending a malicious link to the user via SMS. In February, researchers from Check Point found a way to exploit AirDroid to steal data from devices via maliciously crafted contact cards (vCards).
The Zimperium researchers recommend disabling or uninstalling the app until a fix for the latest issue is made available.