AirDroid Says It Fixed a Huge Security Flaw

The developers behind AirDroid say they've fixed the security flaw in the popular remote PC app that left Android devices vulnerable to hacks.

AirDroid chief marketing officer Betty Chen said today (Dec. 9) that the company has completed its rollout of AirDroid 4.0.0.3 on mobile and 3.3.5.3 on the desktop, patching a security flaw that could have allowed hackers to target unsuspecting victims. "In this update, we have improved our encryption mechanism as planned and fixed the issue regarding the recent concern over AirDroid’s security," Chen said in a statement.

The AirDroid update is available now to all users in the Google Play marketplace.

AirDroid, which has notched between 10 million and 50 million downloads on Google Play, came under fire last week after security firm Zimperium reported on a security flaw it had discovered earlier this year that would have allowed hackers to overcome the app's encryption, giving them access to sensitive information. After targeting a user, hackers could remotely execute code on the device.

MORE: Best Android Antivirus Apps - Mobile Security Software

At the center of the problem was the app's use of a static encryption key to safeguard important data. What's worse, the encryption key could be easily discovered in the app's code by anyone with even a little know-how, allowing hackers to circumvent the security measures and target unsuspecting victims with a man-in-the-middle attack.

AirDroid is developed by Chinese company Sand Studio and is available in more than 30 countries. It lets users access and control their Android devices from the Web or on a PC or Mac. It also has a backup and syncing service on potentially private data like photos and videos.

Given the app's popularity, AirDroid came under intense scrutiny over the security flaw. Complaints grew even louder after Zimperium reported that it had told AirDroid's creators about the flaw all the way back in May. In subsequent updates released in November, the flaw still wasn't fixed, prompting Zimperium to speak out.

In a blog post last week, Sand Studio blamed the seemingly slow response on coding complexities. It added in its statement that it would work "tirelessly" to fix the problem. To safeguard themselves, users were encouraged to employ HTTPS and seek out additional encryption while using AirDroid. But now Sand Studio says the problem is fixed. And in addition to the security patch, the company said it's added some additional security features to bolster its app.

"Along with other security improvements, we have upgraded the communication channels to HTTPS and improved the encryption method," the company said. "Because of AirDroid’s cross-platform nature, it took us sometime to design a customized solution and level up our security in all aspects. We introduced the restructuring coding system into AirDroid4.0 and AirDroid 4.0.0.1 to make sure the compatibility works fine across platforms late in November. After a careful assessment, we started to roll out this update partially earlier this month across clients to make sure a smooth communication is performed well."

Looking ahead, Sand Studio says it will work to improve security against any "future possible threats."

Create a new thread in the Android Smartphones forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment