Security firm Zimperium reports that AirDroid, a popular app on the Google Play Store used for accessing and managing your Android device from the web browser on your PC, makes use of insecure communication channels that leaves its estimated 50 million user base vulnerable to Man-in-the-Middle attacks.
Zimperium says that the weak communication channel allows a malicious party to “perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs.”
AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with DES ( ECB mode ) however the encryption key is hardcoded inside the application itself (thus known to an attacker). Any malicious party on the same network of the target device could execute a man in the middle attack in order to obtain authentication credentials and impersonate the user for further requests.
The vulnerability allows hackers to gain access to key user information, including their email ID and password hash. The vulnerability can also be used to push malicious updates to the device.
More worryingly perhaps, Zimperium first sent an email to the developers of AirDroid disclosing the vulnerability on May 24, 2016. Since then, despite acknowledgement, numerous follow-up emails, and a major release of AirDroid, the vulnerability continues to exist. The latest version of AirDroid, v4.0.1, still remains vulnerable to the exploit.
If you currently use AirDroid, you should ideally wait for an update from the developers fixing the issue before you use the application again while on a public network.