According to experts from the firm Zimperium, multiple vulnerabilities in the Android remote management tool AirDroid could expose more than 50 million devices
The flaws could be exploited to abuse built-in features and use them against the application’s users.
Experts highlight that AirDroid uses insecure communication channels allowing attackers to power Man-in-the-Middle (MitM) attacks and other types of attacks.
Researchers from Zimperium discovered that communication channels used to send authentication data to the statistics server are not properly protected because the encryption key is hardcoded inside the application.
An attacker that shares the same network with the victim could run MitM attacks to capture authentication credentials from the first HTTP request the application performs, and use them to act on behalf of the user.
“A malicious party could perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs.” reads the blog post published by Zimperium. “This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON.
Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.
For instance, a payload like the following ( encrypted in DES with the same exact key ) can be sent to the https://id4.airdroid.com/p14//user/getuserinfoviadeviceid.html endpoint :”
Tha attacker could craft a payload encrypted in DES with the same key to trick the server into revealing user information, including the email and password hash.
The attacker could power a MitM attack alto to redirect HTTP traffic to a malicious transparent proxy that allows him to modify the response for the /phone/vncupgraderequest. In this way the attacker could inject a fake update or could execute malicious code remotely.
“Moreover, an attacker performing a MITM attack and redirecting HTTP traffic to a malicious transparent proxy, could modify the response for the /phone/vncupgrade request which is normally used by the application to check for addons updates:
GET /p14/phone/vncupgrade/?q=[DES ENCRYPTED PAYLOAD]&ver=20151 HTTP/1.1 Host: srv3.airdroid.com Connection: close User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Injecting a new update, thus remotely executing custom code on the target device, is just a matter of modifying this response:”
In order to fix these issues, the AirDroid should use only secure communication channels (HTTPS), should implement key pinning to avoid SSL MitM, should use safe key exchange mechanisms, and should leverage and digital verify the update files.
(Security Affairs – AirDroid, hacking)