AirDroid is an application that allows its users to remotely access their own or others devices. It does not matter where in the world you are and where your device is. Your device only needs an internet connection. Over 10 million people use AirDroid and are satisfied with it. This app is just like Apple’s native iMessage app.
AirDroid has recently patched an authentication flaw in its web application that could allow an attacker to remotely access victim’s android device and get full access to it. The attacker could even use the camera of the mobile and take pictures with camera, locate the device’s exact location, import .apk files to install malicious apps to the device, view the Android’s screen in real time and much more.
“This type of vulnerability is a little unique, but I don’t put it outside someone else finding,” Bryant said. “The exploit is complex as well.” The vulnerability was registered on Feb 27 and was patched in a few weeks. It affected only AirDroid version 3.0.4 and earlier.
How was the attacker able to attack AirDroid’s web application? This was possible because the application used JSONP or JSON with padding to perform cross origin request. Bryant said that it is possible to exploit JSONP to hijack AirDroid’s web application.
There are chances that your device may ask you for permission when someone is trying to hijack your device, and you may even access permissions as Airdroid is an application asks for high privileges to work efficiently.
“They had an insecurity in the token used to control AirDroid to connect to the phone,” Bryant said. “It generates a token (a 7bb session token) each time to connect to the website and uses an insecure method of sharing information. Through the use of JSONP, I was able to hook into AirDroid and construct my own token. They served data insecurely; I captured it and built my own token.”