![]() Seemingly, SHAREit’s efficiency and its subsequent popularity came at the expense of security. SHAREit app installer also opens links associated with the app, such as “” and “” by default and downloads app data over insecure HTTP.īy failing to encrypt the download connection, an attacker can steal sensitive data and execute man-in-the-middle attacks. In this case, all files in the /data/data/ folder can be freely accessed,” Trend Micro says. “Even worse, the developer specified a wide storage area root path. This security flaw was responsible for Epic Fortnite’s breach. The accessibility of SHAREit’s private files exposes them to Man-in-the-Disk attacks. Trend Micro says that “an attacker may craft a fake file, then replace those files via the aforementioned vulnerability to perform code execution.” Attackers could steal or replace files through Man-in-the-Middle and Man-in-the-Disk attacks ![]() An attacker only has to request SHAREit’s file-content provider and send a path to get files in the SHAREit directory.Īlthough attackers could only access SHAREit’s data files, they could edit those files, including SHAREit’s cache, and attach malicious code to be executed by the app. Given that the file-sharing app has access permissions, this security flaw grants the third-party app temporary read/write access to user data. The developers did not limit access to app files and SHAREit serves all its files to apps that request access. Trend Micro noted that “the developer behind this disabled the exported attribute via android:exported=”false”, but enabled the android:grantUriPermissions=”true” attribute.” SHAREit content providers grant third-parties temporary read/write permissions App developers must sanitize content providers to avoid exploitation by attackers, but SHAREit developers failed to do so. Improper setup of content providers could make an android app vulnerable to the execution of malicious code. This feature allows communication among apps on the android platform. The problem originates from the way the app developers set up content providers. Trend Micro attributes the security flaw to the file-sharing app’s poor design. SHAREit poor app design responsible for the security flaw SHAREit also describes itself as file-sharing and a leading content provider offering infinite online video, millions of high-quality songs, gifs, wallpapers, and stickers. However, the file-sharing app claims that it will not “access permissions that are irrelevant to our operation.” It also requests permissions to runs at startup, create user accounts and set passwords, full network access, among others. SHAREit app accesses device storage, location, microphone, and camera permissions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |