Users can now use the AirDroid remote management tool for Android without fears of malicious updates and data theft.
That is because a vulnerability came out revealing the AirDroid app sends and receives some information over insecure channels (HTTP), thus opening users on unsecured networks to man-in-the-middle attacks, and does not verify if a served update is legitimate, meaning that attackers could serve a malicious one, said researchers at mobile security firm Zimperium.
The AirDroid team learned about the vulnerability in May, but did not come up with a fix by December 1, forcing Zimperium to disclose the existence of the vulnerabilities, and warn users against using the app while on unsecured networks.
The AirDroid team seems to have been too busy with the development of a new architecture to pause and create a fix for the security issues in question, according to a blog post.
The fixes are now in place, and the team asked users to switch to the newest versions of the software (Mobile 184.108.40.206 and Mac/Win 220.127.116.11) immediately, as they will stop supporting old versions.
Zimperium researchers tested version 4.0.3 of the mobile software, and have concluded the software now uses SSL but does not enforce certificate pinning, and the main update remote code execution issue (malicious APK update) is now fixed.