Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Android Security Encryption Privacy Software Technology

Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings (androidpolice.com) 30

AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user's device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid. Android Police reports: The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network an intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation. Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.
This discussion has been archived. No new comments can be posted.

Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings

Comments Filter:
  • by NotInHere ( 3654617 ) on Friday December 02, 2016 @08:07AM (#53407675)

    If you are a KDE user, you might want to try KDE connect. It uses TLS and therefore shouldn't have that particular vulnerability:https://albertvaka.wordpress.com/2016/08/26/kde-connect-1-0-is-here/

    • Been using KDE for years, had not heard of KDE Connect. So thank you!
      Per their site https://community.kde.org/KDEC... [kde.org]
      KDE Connect is a project that aims to communicate all your devices. For example, with KDE Connect you can receive your phone notifications on your computer, or just use your phone as a remote control for your desktop. To achieve this, KDE Connect implements a secure communication protocol over the network, and allows any developer to create plugins on top of it. Currently there are KDE Connec

      • KDE connect to me was very useful when my HTPC keyboard died, I used my Nexus 10 as a keyboard/remote control.
        It also integrates with amarok so you can control the music, shows messages as notifications on the desktop and can even transfer files (although this works only sometimes with me).
  • For notifications, try linconnect: https://github.com/hauckwill/l... [github.com]

    For file transfers, try DavDrive Lite: https://play.google.com/store/... [google.com]

    Although DavDrive says it is only supported on Ubuntu, I have used it on several rpm-based distros.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...