AirDroid has patched an authentication flaw in its web application that could allow an attacker to remotely control and manipulate a victim’s Android device.
AirDroid, which is similar to Apple’s native iMessage app, allows a user to send SMS messages, make calls, add contacts and more via a web-based interface. An attacker would just need to lure a user to a malicious website hosting an exploit in order to be compromised.
“The risk is that if you’re logged into the AirDroid service, it runs in the background—the app does not need to be open—and you’re vulnerable,” said Matt Bryant, a security analyst with Bishop Fox who discovered and disclosed the vulnerability to AirDroid. “You can force the app to open and control it from there.”
From the Web interface, an attacker could also take pictures with the Android device, import and export .apk files in order to potentially add malicious apps to the phone, transfer files from the phone to the computer, view and manipulate photos, view the Android screen in real time, open URLs with the Android browser, and track the device’s location.
“This type of vulnerability is a little unique, but I don’t put it outside someone else finding,” Bryant said. “The exploit is complex as well.”
The vulnerability was patched in March, weeks after it was reported on Feb. 27. It affects AirDroid version 3.0.4 and earlier. The flaw lies in the fact that the web applications use JSONP, or JSON with padding, to perform cross-origin requests. Bryant said JSONP it is possible to exploit JSONP to hijack the AirDroid web app.
“They had some insecurity in the token used to control AirDroid to connect to the phone,” Bryant said. “It generates a token (a 7bb session token) each time to connect to the website and uses an insecure method of sharing information. Through the use of JSONP, I was able to hook into AirDroid and construct my own token. They served data insecurely; I captured it and built my own token.”
AirDroid has patched an authentication flaw in its web application. via @ThreatpostTweet
AirDroid is also another example of a mobile application requiring excessive permissions in order to function as designed; in this case, the excessive permissions just extend an attacker’s capabilities if he’s able to hijack the app. The app requires a lengthy list of permissions that includes access to personal information, messages, location, network communication, storage, system tools, hardware controls, and phone calls.
“AirDroid allows, because of the way it works, full control over the phone, which is warranted in the case of AirDroid; that’s the idea, to manage the phone remotely via computer,” Bryant said. “A lot of apps request crazy permissions, and people are not generally worried about it. AirDroid users trust the app with permissions on phone and people are ok with allowing that.”