December 5, 2016 By Mark Samuels 2 min read

Business leaders should be aware that vulnerabilities in an app could leave millions of Android users at risk of a man-in-the-middle (MitM) attack that can lead to information leakage and remote hijacking.

Researchers at Zimperium discovered that remote management tool AirDroid sends authentication information to a statistics server through unsecure communication channels. This enables cybercriminals to use the app’s functionality against device owners and facilitate MitM attacks.

The news has potential implications for users around the world, since AirDroid has an estimated user base of between 10 and 50 million devices, according to the Google Play Store. IT managers should see the news of a potential MitM attack as another reason to check the relevance of their security policies and mobile strategies.

Android Users at Risk

AirDroid sends the device authentication information to its statistics server through communication channels and encrypts it with Data Encryption Standard (DES) in the Electronic Codebook (ECB) mode, researcher Simone Margaritelli explained on the Zimperium blog. The problem is that fraudsters are able to access the encryption key since it’s hardcoded into the app. A nefarious actor on the device’s network could launch a MitM attack to steal authentication data and impersonate the victim for future requests.

A MitM attack is one where an attacker secretly relays and possibly alters the interaction between two parties. In this case, Margaritelli explained, an attacker could alter the response to the /phone/vncupgrade request. The app typically uses this request to scan for updates.

Don’t Snooze on MitM Attacks

The news will be of interest to IT and security managers in organizations that are evaluating the relative strengths of different mobile operating systems and devices, such as smartphones running Android and Apple devices running iOS.

According to InfoWorld, iPhones account for roughly 70 to 90 percent of devices used in the enterprise. Executive editor Galen Gruman advised businesses to hold back on Android due to security concerns, lack of application choices and the diffuse nature of the operating system.

However, more organizations are allowing workers to embrace bring-your-own-device (BYOD) or choose-your-own-device (CYOD) policies, ZDNet reported. To properly serve all employee types, enterprise mobility leaders must support both BYOD and CYOD and include corporate-owned, privately enabled elements.

MitM Mitigation

Margaritelli advised AirDroid users to use HTTPS channels exclusively, double-check the remote public key and always use digital signatures when updating. Additionally, users should adopt safe key exchange mechanisms instead of relying on encryption keys hardcoded within the app.

After Margaritelli persistently alerted the vendor of the exploit in May, the company issued updated versions 4.0.0 and 4.0.1. No security patch was issued, however. Margaritelli advised AirDroid users to uninstall the app until the vendor issues a fix.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today