AirDroid Security Improvements Explained

2016.12.09 Update:

AirDroid(Mobile; Mac/Win ) is now completed its roll out and available on Google Play. We have fixed the issue regarding the recent concerns over AirDroid’s security altogether with a structure upgrade that we have prepared for awhile. 

In this update we have:

  1. Upgraded the communication channels to https
  2. Improved the encryption mechanism
  3. Other security improvements

You can now download it from Google Play.

Regarding the security concern about AirDroid, we are here to be transparent to you.

First of all, we want you to know that your AirDroid account shall not be exposed to any security risks provided that a secured Wi-Fi/LAN connection is used (a Wi-Fi/LAN connection whose host is known by the user).

However, it does not mean that we don’t take this concern seriously. We did take an immediate reaction right after became aware of the possible security issue. Unfortunately, there’s a misunderstanding between us and the blog which thought we didn’t keep our promise to improve.

Due to the complexity of coding for a cross-screen management application like AirDroid, it is required to have a complete sync systematic coding across clients and server to ensure best possible experience for our users during this transition time, as the systematic amendment will not be completely compatible with the previous versions and some functions may be affected.

Although we experienced a major restructure earlier this year, we have worked tirelessly and stretched our capability to the max. to make sure that we bring the best solution to you ASAP. We now catch up the timeline and will ship a security update as soon as possible.

We want to emphasize that your security is our first priority, and this is what our tech guys have always been working the hardest to improve AirDroid.

Meanwhile, we want to press again that we highly encourage our users to be alarmed to any unknown wifi which might expose your personal data at risk.

Please bear with us, our AirDroid team is working on shortening the lead time and we will make sure you will be the first to know upon the update is ready!

If you have any further concern, please do feel free to leave comments below, we will answer your questions asap.

Thank you for being with us all along, your trust means everything to us!

21 responses to “AirDroid Security Improvements Explained”

  1. Josh says:

    Why did you not pause development of 4.0, release a fix for the bug, and continued work on 4.0 with the fix? Why was security not a priority?

  2. resource says:

    This is not acceptable. You ignored a major bug to push out a new release. This is not acceptable product management or respectful of your users.

  3. Gilgamesho says:

    Thanks for your efforts AirDroid team. Some of us appreciate the hard work that you are doing. The rest are just upset because they love using your app but they don’t want to compromise their data. Hope that you fix the issue soon 🙂

    • verboze says:

      We’re upset at the way this issue was handled. Security bugs happen all the time, that’s understandable. Knowingly leaving an vulnerability open for over half a year to focus on other priorities, knowing full-well what sort of sensitive data users trust to their app, and only reacting AFTER being exposed is NOT acceptable. Consider this: they will have a fix in two weeks, yet they could not feet those two weeks in a span of 6+ months? This is poor prioritization, makes me consider how seriously they take the security of the data I’m entrusting to them.

    • Noah Boudy says:

      Nope, not upset, just vindicated that I DID NOT use their product because 5 minutes into installing and “using” it, it became clear to me that its shady, you guys should really pay closer attention to what you install, use and trust.

  4. Swami says:

    Explanation with full transparency AFTER being exposed.. And an advice of don’t connect to insecure networks AFTER knowing the vulnerability for more than 8 months.. Your security is our first priority BUT v4 was an even higher priority.. Bravo!!

    • verboze says:

      My thoughts exactly. they had months to fix his. I call bull on this post. I’m thankful to the security researcher and blog posts who forced their hands on this.

    • Noah Boudy says:

      I pointed out almost a month ago on their blog and got the generic write us and we’ll look into it and nothing ever happened. They are based in Hong Kong, they have ALWAYS been shady and frankly the zero support they provide should have been everyone’s clue. There is no transparency, there never has been, even about who they are and where they are located and how they handle your information. I guess it takes something like this for people to wake up and use common sense.

  5. Justin Coffman says:

    Probably the best question to ask is this: Why did the AirDroid team think it was a good idea to roll their own crypto solution in the first place, let alone one that uses a static key easily discoverable from source, let alone a “key” that wouldn’t pass even basic password complexity checks, let alone to use as a key for an algorithm that has been deprecated and known broken (via brute force) for almost 20 years? This “vulnerability” wouldn’t have existed in the first place had anyone even stopped to consider the basic tenets of secure design.

    • Justin Coffman says:

      With a more forward view: Will AirDroid be allowing any third-parties to audit the code they put in place to solve the issue, to ensure that it does meet secure design requirements?

    • Noah Boudy says:

      Again, makes perfect sense for shady operations that don’t care one bit about YOUR interests. Just what they can get out of it, nothing more.

  6. Andy Roid says:

    You destroyed our trust

    You knew there was a massive security hole for six months and did nothing to fix it

    You only responded when you were publicly exposed.

    Who knows what other security holes you are ignoring at the moment.
    I uninstalled your app straight away. Terrible developers

  7. mchlwlsh says:

    I downloaded Airdroid 4, it drive my AV software crazy, in the setup there was something nasty. I pulled the log file and sent it to them…never heard anything, cancelled subscription.

  8. Daniel says:

    My trust in AirDroid is destroyed. And I am sick of this attitude – basically not accepting your fault plus you say that security is your first priority? What *tech guys* you have there? I wouldn’t employ them in any of my companies. Hope they at least stand up against this…

  9. Toto says:

    I regret blackberry blend 🙁

  10. Kaled Kelevra says:

    You were great. Now you are shit.

  11. Alan_Peery says:

    In a proper world, you’d be roasted over a slow fire. Using http rather than https is an absurd mistake, and you’ve had years to do this securely as is standard industry practice.