![]() ![]() If an app seems like it's requesting too many permissions, it most likely is. For example, does a flashlight app require access to your phone contacts? Probably not. Our advice is to consider whether or not an app truly needs all the access it’s asking for. When saying “okay” to all of these items, you’re placing your trust not only in the app itself, but also in its security. For example, when installing AirDroid, this list of permissions is displayed: Most people are fast to ignore these lists and accept all requests for the sake of convenience. It’s easy to be desensitized to lengthy permission lists, as so many apps come with overbearing requests for access. Therefore, exercise caution when permitting an app pervasive access to your phone. Careful scrutiny is a must when allowing mobile applications extensive permissions. The more important lesson here, though, goes far beyond this particular bug. We have tested this, and have found it more than adequate. They have released a fix in their web interface's most recent version. There is a solution: We disclosed the bug to AirDroid’s team, and they were more than happy to work with us. You don’t have to be a victim to this sort of exploit, though. The following is a play-by-play description:ġ.) The attacker sends the victim an innocent-seeming link.Ģ.) The victim takes the bait and clicks the link.ģ.) Click! The attacker – specifically, his or her website – now has control of the victim’s phone.Ĥ.) The webpage opens, sending a text message to the victim and taking a photo of him or her as well.ĥ.) The photo is sent to the attacker, who then uses it to taunt the victim.įor a more technical explanation, check out our official advisory write-up. This proof-of-concept video shows the AirDroid exploit in action. Harass the victim’s friends and family via contacts.īasically, anything that AirDroid can access becomes fair game for an attacker.Take photos of the victim via the phone’s camera.Once an attacker gains access to a victim’s phone, the possibilities are plentiful. Just having it installed on a device is enough. The attack can be carried out silently, meaning that it works even when the app isn’t operating. All an attacker needs to do is to send a malicious link all a victim needs to do is click on it. This bug allows a remote attacker to essentially take over an otherwise unsuspecting victim’s phone. Unfortunately, for all its accolades, AirDroid is vulnerable to a pretty serious authentication bug. The app’s function is to help a user organize his or her life by providing the remote ability to send text messages, edit files, manage other apps, and even perform GPS tracking. The AirDroid app for Android has surpassed 20 million downloads from the Google Play store and has received raving reviews from the likes of USA Today and Lifehacker. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |