Popular Android remote app AirDroid is vulnerable to hacks

airdroid vulnerable to attack by hackers rsz 1rsz img 20161202 102606
If you’re an Android user, you may have heard of AirDroid, a souped-up remote control app that lets you wirelessly connect to an Android phone or tablet. It’s impressively robust: you can respond to text messages directly from your PC, dismiss or answer an incoming call, silence notifications from certain apps, and even transfer files and photos simply by clicking and dragging. But it’s also frighteningly vulnerable to hacks: according to research firm Zimperium, a nasty security hole has left “tens of millions” of AirDroid’s users susceptible to data-stealing attackers.

At fault is the app’s weak method of encryption. In a blog post published Friday, Zimperium reported that AirDroid’s key — a digital passcode made up of a combination of numbers, letters, and characters — that it uses to obfuscate sensitive updates and data is both “static” and “easily detectable.” And while AirDroid uses the industry-standard HTTPS security protocol to handle most files, the app transfers crucial bits over unencrypted HTTP.

That opens the door for a reasonably skilled hacker to perform what’s known as a man-in-the-middle attack: using a third-party computer to impersonate AirDroid’s servers, deliver fraudulent app updates, and view sensitive information. In this manner, hackers could steal email addresses and passwords, surreptitiously install apps, or even replace the legitimate AirDroid application with a malicious replica.

“A malicious party on the same network as the victim can leverage this vulnerability to take full control of their device,” Simone Margaritelli, Zimperium’s principle security researcher, told Ars Techica. “Moreover, the attacker will be able to see the user’s sensitive information … As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it.”

Zimperium disclosed the vulnerability to AirDroid in May, but it remains present in the newest major release of AirDroid — version 4 — launched in mid-November. A subsequent patch, version, doesn’t appear to have addressed the flaw. And San Studios, the development team behind AirDroid, has yet to respond to Zimperium’s accusations.

In a statement published to the official AirDroid blog, Sand Studio said it hoped to have a fix ready within two weeks.

If you’re an active AirDroid user, your options are relatively few.

Android limits the extent to which malicious apps can modify your phone’s files, but AirDroid has more access than most. It can make app purchases, and can access contacts, text messages, device location, camera, microphone, photos, Wi-Fi connection data, device ID, and call information. And a malicious update posing as a legitimate one could request additional permissions.

A virtual private network, or VPN, is a potential — but imperfect — solution. VPNs add a layer of security to unencrypted networks, providing a measure of protection from attackers. Ars Technica notes, though, there’s no guarantee a hacker won’t work around it by employing a captive portal — the sort of web page that hotels and airlines use to collect payment and registration information — to kick a VPN user to a compromised connection.

Until the problem’s patched, you’re best off using AirDroid only on wireless networks that you know and trust. If you rely on public Wi-Fi, though, you’re safest disabling or uninstalling AirDroid until a patch is in place.


Photography News: Raw edits on iPad and an A.I. research lab for PicsArt

In this week's photography news, Canon launched an iPad app that allows for RAW edits on the go. Popular mobile editing app PicsArt now has a research lab dedicated entirely to A.I.-powered tools.

Was your Facebook account hacked in the latest breach? Here’s how to find out

Facebook now reports that its latest data breach affected only 30 million users, down from an initial estimate of 50 million accounts. You can also find out if hackers had accessed your account by visiting a dedicated portal.

Pocket transforms articles into podcasts with an assist from Amazon

Read-it-later app Pocket is adding an option to turn articles into easily navigable podcasts with its new app redesign for iOS and Android. The feature relies on Amazon's voice-to-text service Polly.

GE Appliances augments its new smart kitchen hub with SideChef

Sidechef is an incredibly handy app for home cooks because of its ability to access more than 5,000 recipes and now home cooks will be able to access the app in the smart kitchen via GE Appliances' new kitchen hub.
Emerging Tech

Here’s all the best gear and gadgetry you can snag for $100 or less

A $100 bill can get you further than you might think -- so long as you know where to look. Check out our picks for the best tech under $100, whether you're in the market for headphones or a virtual-reality headset.

OnePlus charges into U.K. carrier stores, leaving online-only start in the past

OnePlus's next phone, the OnePlus 6T, will be more widely available than any OnePlus phone before it, as the company has announced major deals with retailers in the U.K. The device launches on October 30.
Product Review

The all-new Palm wants to be many things, but it’s really just a tiny smartphone

The all-new Palm is here, and it’s tinier than ever. Exclusive to Verizon, it syncs to your primary smartphone and acts as a secondary device -- with features to help you disconnect from technology. But at $350, is it worth the high price…

The Palm has been revived, and it wants to help you limit your smartphone usage

A reboot of the classic Palm is finally here and it's tiny. It syncs to your phone and acts as a secondary device -- with a feature to help you disconnect from technology. At $350, the Palm will be available exclusively through Verizon.

You can finally throw away your PC; Photoshop is coming to the iPad

A full version of Photoshop is coming to the iPad -- and soon, other tablets, as well. Adobe also launched several new features for Photoshop and Lightroom, including a new Content-Aware Fill tool.

The Huawei Mate 20 may come with a massive 40W charger

Huawei is no stranger when it comes to big phones. And this year it plans to go even bigger with the Huawei Mate 20 and Mate 20 Pro. Here's what we think we know about the new range.
Home Theater

Dish Network or DirecTV: Which is the better choice for you?

So, you’ve chosen to go with a satellite television provider. Check out our quick rundown of what both Dish Network and DirecTV offer in terms of content, hardware, and pricing, and why you might choose them over streaming services.

Upcoming iPad may lose a few millimeters, along with its headphone jack

The new iPhone XS, iPhone XR, and Apple Watch aren't the last devices we'll see from Apple in 2018. There are plenty of rumors about a new iPad coming this year too, and it may share some design similarities with the new phones.
Product Review

Mediocre battery and a big notch slight Google's otherwise perfect Pixel phone

Google’s Pixel 3 XL has two big flaws: The gigantic notch on the front, and mediocre battery life. That being said, this is the best Android experience you can find in a smartphone today.
Product Review

Google’s Pixel 3 is a hair away from pocket-sized perfection

Google’s Pixel 3 smartphone is the best Android phone you can buy. It doesn’t have the best looks or the best hardware, but you’ll be hard pressed to find better software and unique A.I. functionalities.