FORUMS
Remove All Ads from XDA

Serious, unpatched vulnerabilities

1 posts
Thanks Meter: 5
 
By Mirwin0, Junior Member on 22nd April 2017, 08:20 AM
Post Reply Email Thread
Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.

This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.

Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.

My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.

Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.

I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.

In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.

Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
The Following 5 Users Say Thank You to Mirwin0 For This Useful Post: [ View ] Gift Mirwin0 Ad-Free
 
 
1st July 2017, 06:17 AM |#2  
Junior Member
Flag Istanbul
Thanks Meter: 0
 
Donate to Me
More
Thanks a lot for all this information. I really appreciate it.
20th August 2017, 08:33 PM |#3  
Member
Flag Greenville
Thanks Meter: 38
 
More
Why hasn't this been addressed yet?
The Following User Says Thank You to gametimebrizzle For This Useful Post: [ View ] Gift gametimebrizzle Ad-Free
23rd November 2017, 11:10 AM |#4  
Member
Thanks Meter: 15
 
More
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.

We should make a bigger fuss about these things!
4th December 2017, 08:07 PM |#5  
Junior Member
Thanks Meter: 0
 
More
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes