AirDroid has gaping security holes

AirDroid is one of the treasures of the Android world, a product of the platform’s more open nature. In a nutshell, it allowed Android users to control their devices from a web browser, to send or read messages, manage files, or even mirror the device’s screen. That power, however, has apparently come at a price. Although AirDroid has existed for years now, it was only earlier this year that mobile security researchers at Zimperium discovered some rather serious security holes in its implementation, potentially giving hackers nearly limitless access to the owner’s information and device.

At the heart of the matter is AirDroid’s rather lax security implementation in communicating with its servers both to authenticate users as well as in checking for updates. When it does so, it sends an encrypted packet containing the user’s e-mail address and password. However, the encryption keys are hardcoded into the app and is the same for all installs of AirDroid. This means that even the greenest of hackers will be able to extract that key to decrypt that information and gain access to the user’s authentication details. Given how users often reuse passwords, that’s pretty much a skeleton key to the user’s digital life.