A few days ago, independent security firm Zimperium released details about several major security flaws in the popular AirDroid application. In summary, attackers can easily intercept insecure requests to AirDroid's servers, as well as push malicious APKs to devices which appear as AirDroid add-on updates (which AirDroid then prompts the user to accept). Granted, the user has to be on an insecure Wi-Fi network for the attack to work, but it's still a major problem.

That alone is bad enough, but Zimperium informed AirDroid of the problem a whopping seven months ago. During that time, a major 4.0 update was released, which still had the same security issues. Once Zimperium disclosed the information publicly, AirDroid put out a blog post in broken English without any real explanation.

AirDroid did promise that a fix would be available within two weeks, and to their credit, the latest Beta version (4.0.0.2) does contain the fixes. The developers are waiting on Zimperium to verify that all the security issues are properly resolved before pushing it to all users.

I don't recommend using AirDroid (even after these issues are fixed), but if you absolutely have to, don't connect any Wi-Fi networks that you don't manage yourself until the fix is available. You can also sign up for the beta on Google Play here.

UPDATE: 2016/12/09 7:16pm PST BY

AirDroid has released the 4.0.0.3 update for Android, and the 3.3.5.3 update for the Mac/Windows clients, which fixes all known security flaws. The developers claim all communication channels are now HTTPS (why wasn't it that way from the beginning?) with an improved encryption method. You can download the Android client update from the Play Store, and the desktop clients from AirDroid's website.