AirDroid, a tool that lets people access their Android smartphones on their desktop PCs, announced plans to address several critical vulnerabilities. The company said it wants to release a patch in the next two weeks--almost seven months after security firm Zimperium disclosed the problems.
Zimperium said in a blog post that it discovered multiple vulnerabilities that could allow "any malicious party on the same network of the target device" to "execute a man in the middle attack in order to obtain authentication credentials and impersonate the user for further requests." By streaming information from their phones to their computers, AirDroid users unwittingly made that same data available to anyone with a little technical know-how.
The problem stems from AirDroid using insecure channels for sensitive information and storing encryption keys within its app. This means anyone could dig into the app's code, grab the encryption keys, and use them to capture data as it traveled between their target's phone and PC. That data could then be used to steal the logins to someone's banking service and steal from them, for example, or to gain access to the target's social networking accounts.
All of which means these vulnerabilities could have serious repercussions if they're exploited, not least because AirDroid has been installed on at least 10 million Android devices, according to statistics from the Play Store. (Google provides only a range of the total number of installs--between 10 million and 50 million, in this case--to the public.) This isn't some no-name app putting Android users at risk; this is a popular utility trusted by millions of people.
Zimperium said it disclosed the issues to AirDroid on May 24 and received acknowledgement of the problems on May 30. The company then followed up throughout August without response; was told on September 7 that a new version would soon be released; and then found the same vulnerabilities in AirDroid versions 4.0.0 on November 28 and 4.0.1 on November 30. Zimperium then decided to disclose the problems to the public on December 1.
AirDroid responded on December 2. The company assured its users that this vulnerability is only a problem if they're using untrusted Wi-Fi networks--like those used in coffee shops, airports, and other public areas--and said it planned an update to fix the problem "within two weeks." It also offered an explanation for the delay:
Due to the complexity of coding for a cross-screen management application like AirDroid, it is required have a complete sync systematic coding across clients and server to ensure best possible experience for our users during this transition time, as the systematic amendment will not be completely compatible with the previous versions and some functions may be affected.
The developers essentially chose to maintain the status quo, and not inform their customers about the security risks they incurred every time they used the product, because they didn't want to break their app. That's the problem with bug bounty programs or just disclosing security problems without seeking recompense: The companies with the faulty security have to fix the issues, and as AirDroid just proved, they can't always be trusted to do so.