Security firm Zimperium reports that AirDroid, a popular app on the Google Play Store used for accessing and managing your Android device from the web browser on your PC, makes use of insecure communication channels that leaves its estimated 50 million user base vulnerable to Man-in-the-Middle attacks.
Zimperium says that the weak communication channel allows a malicious party to “perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs.”
The vulnerability allows hackers to gain access to key user information, including their email ID and password hash. The vulnerability can also be used to push malicious updates to the device. More worryingly perhaps, Zimperium first sent an email to the developers of AirDroid disclosing the vulnerability on May 24, 2016. Since then, despite acknowledgement, numerous follow-up emails, and a major release of AirDroid, the vulnerability continues to exist. The latest version of AirDroid, v4.0.1, still remains vulnerable to the exploit. If you currently use AirDroid, you should ideally wait for an update from the developers fixing the issue before you use the application again while on a public network.
