AirDroid Patches Web App Hijacking Vulnerability

Researchers at Bishop Fox disclose details on a patched authentication vulnerability in the AirDroid web application that could give attackers remote control over Android devices.

AirDroid has patched an authentication flaw in its web application that could allow an attacker to remotely control and manipulate a victim’s Android device.

AirDroid, which is similar to Apple’s native iMessage app, allows a user to send SMS messages, make calls, add contacts and more via a web-based interface. An attacker would just need to lure a user to a malicious website hosting an exploit in order to be compromised.

“The risk is that if you’re logged into the AirDroid service, it runs in the background—the app does not need to be open—and you’re vulnerable,” said Matt Bryant, a security analyst with Bishop Fox who discovered and disclosed the vulnerability to AirDroid. “You can force the app to open and control it from there.”

From the Web interface, an attacker could also take pictures with the Android device, import and export .apk files in order to potentially add malicious apps to the phone, transfer files from the phone to the computer, view and manipulate photos, view the Android screen in real time, open URLs with the Android browser, and track the device’s location.

“This type of vulnerability is a little unique, but I don’t put it outside someone else finding,” Bryant said. “The exploit is complex as well.”

The vulnerability was patched in March, weeks after it was reported on Feb. 27. It affects AirDroid version 3.0.4 and earlier. The flaw lies in the fact that the web applications use JSONP, or JSON with padding, to perform cross-origin requests. Bryant said JSONP it is possible to exploit JSONP to hijack the AirDroid web app.

“They had some insecurity in the token used to control AirDroid to connect to the phone,” Bryant said. “It generates a token (a 7bb session token) each time to connect to the website and uses an insecure method of sharing information. Through the use of JSONP, I was able to hook into AirDroid and construct my own token. They served data insecurely; I captured it and built my own token.”

AirDroid is also another example of a mobile application requiring excessive permissions in order to function as designed; in this case, the excessive permissions just extend an attacker’s capabilities if he’s able to hijack the app. The app requires a lengthy list of permissions that includes access to personal information, messages, location, network communication, storage, system tools, hardware controls, and phone calls.

“AirDroid allows, because of the way it works, full control over the phone, which is warranted in the case of AirDroid; that’s the idea, to manage the phone remotely via computer,” Bryant said. “A lot of apps request crazy permissions, and people are not generally worried about it. AirDroid users trust the app with permissions on phone and people are ok with allowing that.”

Image courtesy

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.