Remote management app could expose data to attackers — or compromise devices through hijacked update files.

Update, December 9: Betty Chen, CMO of AirDroid has reached out to Android Central with the latest on the team's work to fix the vulnerability. See the response below:

We have just completed the staged rollout of AirDroid(Mobile 4.0.0.3; Mac/Win 3.3.5.3 ) on Google Play Store, it is now available to all users. In this update, we have improved our encryption mechanism as planned and fixed the issue regarding the recent concern over AirDroid's security.

The issue is fixed in the update.

Along with other security improvements, we have upgraded the communication channels to https and improved the encryption method.

Because of AirDroid's cross-platform nature, it took us sometime to design a customised solution and level up our security in all aspects. We introduced the restructuring coding system into AirDroid4.0 and AirDroid 4.0.0.1 to make sure the compatibility works fine across platforms late in November. After a careful assessment, we started to roll out this update partially earlier this month across clients to make sure a smooth communication is performed well. Now we can finally release this update fully to fix the issue raised as well as make sure our users are better protected.


Research by security firm Zimperium has shown that popular remote management app AirDroid is vulnerable to so-called "man-n-the-middle" attacks, leaving users' phones open to data theft or, at worst, compromise of the device through a hijacked update file.

According to Zimperium, an attacker on the same network as the intended victim could intercept authentication data and impersonate the user, allowing personal data — such as SMS, calls, notifications or contact details — to be exposed.

Most seriously, the mechanism by which the app is updated could also be hijacked in the same way, exposing AirDroid users to have their entire device compromised by a malicious APK file. The security firm has a full proof of concept on its site, along with details of how it disclosed the vulnerabilities to developer Sand Studio, starting in May 2016.

Zimperium says the recently released AirDroid 4.0.0 and 4.0.1 remain vulnerable to the same vulnerability. We've reached out to Sand Studio for comment, and we'll update this post with any response. In the meantime, if you're a security-conscious AirDroid user, you may want to think about uninstalling until a fix is available.

You can download the latest version of AirDroid for your Android device here. The latest version of the desktop app can be downloaded from the AirDroid website. If you're a frequent user of AirDroid, you'll definitely want to download these critical updates as soon as possible.