AirDroid is one of several services that allows Android users to send and receive text messages, as well as transfer files and see notifications, from their computer. According to the Play Store, AirDroid has somewhere between 10 and 50 million installs (not counting anyone directly installing the APK from the AirDroid website). Mobile security company Zimperium recently released details of several major security vulnerabilities in AirDroid, allowing attackers on the same network to access user information and even execute code on a user's phone.

The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network can intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account.

But this gets even worse. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation.

Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.

In summary, attackers on the same network as an AirDroid user can intercept user information (including account login and password), as well as send malicious applications to phones with AirDroid disguised as add-on updates. Sand Studio (the developers of AirDroid) had seven months to fix these issues, and they still remain. If you are using AirDroid, you should disable or uninstall it immediately.

I find it an absolute disgrace that the developers of AirDroid would knowingly endanger the private information of their users, and I recommend to stop using it, even after these vulnerabilities are fixed. I hope that Sand Studio fixes these issues as soon as possible, for the sake of AirDroid users not aware of this issue.

AirDroid has responded with a blog post on its website, explaining that they hope to have a fix ready within two weeks. Sand Studio was already working on AirDroid 4.0 at the time, and put all their resources into finishing the update before focusing on fixing the bug. I'm sure most developers would agree that AirDroid should have paused development on 4.0, released a fix for the bug, and continued work on 4.0 with the fix. In the meantime, AirDroid advises users to not connect to insecure Wi-Fi networks.