Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings

AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user's device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid. Android Police reports: The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network an intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation. Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.

KDE connect doesn't suffer from this

[NotInHere]

If you are a KDE user, you might want to try KDE connect. It uses TLS and therefore shouldn't have that particular vulnerability:https://albertvaka.wordpress.com/2016/08/26/kde-connect-1-0-is-here/

What is KDE Connect?

[drainbramage]

Been using KDE for years, had not heard of KDE Connect. So thank you!
Per their site https://community.kde.org/KDEC... [kde.org]
KDE Connect is a project that aims to communicate all your devices. For example, with KDE Connect you can receive your phone notifications on your computer, or just use your phone as a remote control for your desktop. To achieve this, KDE Connect implements a secure communication protocol over the network, and allows any developer to create plugins on top of it. Currently there are KDE Connec

Re:

[BronsCon]

When you mount as a regular flash drive, the disk must first be unmounted by the phone; Android used to have it as an option (and some manufacturers hack it back into their ROMs), but it does necessitate closing any apps which are currently running off the disk and does prevent any apps which are using that disk from continuing to do so until you unmount it from your computer.

Yes, this does affect Blackberry as well. You simply can not have two devices directly accessing the same filesystem on the same di

Re:

[esperto]

KDE connect to me was very useful when my HTPC keyboard died, I used my Nexus 10 as a keyboard/remote control.
It also integrates with amarok so you can control the music, shows messages as notifications on the desktop and can even transfer files (although this works only sometimes with me).

Re:

[unixisc]

You are just talking file transfers and messaging, but there are a wide variety of other apps. Be it banking apps, which among other things allow you to deposit a check, or video calling apps, or VOIP apps, barcode reader apps or things like Uber and AirBnB.

Re:

[MrNaz]

They're not useful unless you leave your basement. Then things like airport flightboard feeds, using your phone's NFC as a tap and pay debit card, and providing users with remote support from any android device becomes useful.

Re:

[BronsCon]

Why, yes, every time you have food delivered to your mother's basement, you are also a surveillance victim. Oh, and if you think Mom isn't rummaging through your shit while you sleep, you're fooling yourself. She knows all about your hentai collections, it disgusts her, and she hasn't decided whether or not she should bring it up.

Re:

[BronsCon]

At least you know who your daddy is, Son. Usually, you dumb kids take a while longer to learn who your superiors are.

Re:

[BronsCon]

Quite often, that's how adoption works, don'cha know?

Re:

[peragrin]

On my iPhone I use an app called file explorer. When I launch the app I can then activates an https WebDAV server that allows downloading of iPhone image and music files. Primarily I use it as a quick way to upload images from my phone to my work without having a regular connection. At home I have Dropbox intergration on both my laptop and NAS.

On a byod environment you need to shuffle files and may not always have a USB drive on you

Re:

[BronsCon]

You do realize that AirDroid it an app, right? As in, not part of Android, but something a third party wrote that some people install, not something that comes bundled as part of the OS. To clarify, it's not Android. Care to try that again?

Linux alternatives

[Nunya666]

For notifications, try linconnect: https://github.com/hauckwill/l... [github.com]

For file transfers, try DavDrive Lite: https://play.google.com/store/... [google.com]

Although DavDrive says it is only supported on Ubuntu, I have used it on several rpm-based distros.

Re:

[gweilo8888]

I'm sure you're still railing against the horse and cart too, never mind these new-fangled automobillies, right?

Re:

[WillyWanker]

Exactly the first thought that crossed my mind. I'm so sick of all these stupid the-sky-is-falling "security alerts" that essentially require the attacker to be sitting next to you at the computer.

NO ONE CARES. JUST STOP.