Popular AirDroid remote management tool for Android can now be used without worrying about malicious updates and data theft, its developers claim.
What was the problem?
Mobile security firm Zimperium recently revealed that the AirDroid app sends and receives some information over insecure channels (HTTP), thus opening users on unsecured networks to man-in-the-middle attacks, and does not verify if a served update is legitimate, meaning that attackers could serve a malicious one.
The AirDroid team was notified of this in May 2016, but did not come up with a fix by December 1, forcing Zimperium to publicly disclose the existence of the vulnerabilities, and warn users against using the app while on unsecured networks.
Fixes and improvements
According to a blog post published on the day after the revelation, the AirDroid team seems to have been too busy with the development of a new architecture to pause and create a fix for the security issues in question.
Some users were, understandably, not satisfied with the explanation. “This is not acceptable. You ignored a major bug to push out a new release. This is not acceptable product management or respectful of your users,” one of them noted.
But now, apparently and finally, the fixes have been implemented, and the team has urged users to switch to the newest versions of the software (Mobile 18.104.22.168 and Mac/Win 22.214.171.124) immediately, as they will stop supporting old versions.
“Along with other security improvements, we have upgraded the communication channels to https and improved the encryption method,” Betty Chen, CMO of AirDroid, told Help Net Security.
“Because of AirDroid’s cross-platform nature, it took us sometime to design a customised solution and level up our security in all aspects. We introduced the restructuring coding system into AirDroid 4.0 and AirDroid 126.96.36.199 to make sure the compatibility works fine across platforms late in November. After a careful assessment, we started to roll out this update partially earlier this month across clients to make sure a smooth communication is performed well. Now we can finally release this update fully to fix the issue raised as well as make sure our users are better protected.”
According to Android Police, the developers ran the updates past Zimperium’s researchers, so that they can check whether the security issues have been properly addressed.
The release of the new versions seem to point to the fact that they have, but just in case we’ve asked Zimperium to confirm this, and we’ll provide their confirmation as soon as they send it to us.
UPDATE (December 13, 2016): Zimperium researchers have, indeed, tested version 4.0.3 of the mobile software, and have concluded that the software now uses SSL but does not enforce certificate pinning, and that the main update remote code execution issue (malicious APK update) is now fixed.
“Version 4.0.3 is safer to use and we recommend to update your AirDroid application,” they noted.