air-sdk is vulnerable to man-in-the-middle (MitM) attack. It is possible because it does not prevent downloading of binary resources via HTTP. Moreover, attacker can trigger remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.