Bishop Fox Security Research Team Discovers Major Authentication Bug in Popular AirDroid App

Share Article

Vulnerability Allows Attackers to Remotely Take Control Over Every AirDroid Feature, Even When Not Running

The security research team at Bishop Fox announced today that they have identified a serious vulnerability in Android’s AirDroid application that allows potential attackers to gain access to the user’s Android phone. Leveraging this vulnerability, Bishop Fox found that an attacker can simply send a malicious link to an AirDroid user via email, Facebook, Twitter, SMS, etc., for the attack process to begin. Upon clicking the link, a remote attacker takes control over every AirDroid feature – even if the app is not running. The attacker can even go a step further by then sending the malicious link to the victim’s contacts and social media connections.

Launched in 2011 with over 20 million downloads to date, AirDroid is a popular application that allows users to access and manage their Android phones or tablets wirelessly from Windows and Mac machines, or the web. According to AirDroid, the app’s purpose is “to make multi-screen life easier by helping access and manage your phone from any computer, anywhere.” With the app, you can send text messages, view app notifications, transfer files and fully control your phone from your computer. The vulnerability that Bishop Fox found makes everything AirDroid has access to, including contacts, photos, and email, available to an attacker.

Bishop Fox Security Analyst Matt Bryant found the vulnerability and said, “I test every application I use, partially for my protection and partially out of curiosity. I was examining the app’s components and found this vulnerability. It struck me as insecure, which then prompted me to take a closer look at it. Given the serious implications of this vulnerability and the impact on so many users, we decided the best thing was to notify AirDroid so that they could quickly develop a solution.”

As of today, AirDroid has responded to the vulnerability notification by developing a patch that resolves the problem at the server level. For more information on this vulnerability, please see this advisory: http://www.bishopfox.com/news/2015/04/airdroid-web-application-authentication-flaw/

Bishop Fox also issued a blog post with a video demonstration of this vulnerability today: http://www.bishopfox.com/blog/2015/04/airdroid-how-much-do-your-apps-know/

About Bishop Fox

Bishop Fox is a global security consulting firm. They are the trusted advisors to the Fortune 1000, financial institutions, and high-tech startups — helping to secure their commerce, data, IT infrastructure, and intellectual property. Founded in 2005, their team consists of dedicated individuals with a combined 400+ years of experience working in both corporate America and global security.
In addition to authoring several best-selling security books, writing numerous industry articles, and being cited in well-respected journals, the Bishop Fox team has been presenting its security research for more than a decade. Bishop Fox speakers have been featured at many top security industry venues, including Black Hat, DEF CON, RSA, InfoSecWorld, OWASP, SANS, and Microsoft BlueHat.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Arissa Aguilera
Bishop Fox
+1 (916) 384-6884
Email >
Visit website