Trend Micro says it has found a number of “security bugs” in the popular Android app ShareIt. ShareIt has been downloaded more than a billion times from the Play Store, and according to App Annie, it was one of the ten most downloaded apps worldwide in 2019. The app was originally developed by Lenovo (it has since been developed in-house) and has been installed on Lenovo phones for some time.
According to the report, ShareIt’s vulnerabilities can be ‘abused to leak sensitive data from a user and execute arbitrary code with ShareIt permissions.’ ShareIt’s permissions, as a local file-sharing app, are quite extensive. According to the Play Store permission reading, ShareIt requests access to the entire user storage and all media, the camera and microphone and the location. It can remove programs, run at startup, create accounts and set passwords, and much more. It also has full access to the network. Trend Micro says that implementing the app could lead to the execution of external code. The security firm says it shared these vulnerabilities with ShareIt three months ago, but the company has yet to release patches.
It has been incredibly successful with a billion Android downloads and 1.8 billion users worldwide (there are also iOS, Windows and Mac applications) leading to an incredible amount of app bloating. The app was considered one of the best for local file sharing, but today the Play Store list includes an app that offers “Infinite online videos”, “Tens of millions of high quality songs,” “GIFs, wallpapers and stickers” . ‘popular’ media section that looks like a social network, a game store, a retail movie download section, COVID-19 check-in activity and business statistics, and looks like its own currency. ShareIt’s website (which, like the app, is not HTTPS) states that the service ‘is now a leading content platform’ and is popular in Southeast Asia, South Asia, the Middle East, Africa and Russia.
If private storage is not private
Trend Micro’s report contains a list of laundry that made bad decisions while designing ShareIt that would make it more susceptible to malicious code. One problem is a common vulnerability in Android apps that arises when developers configure a content provider incorrectly. Android is proud of in-app communication, in part because any app can create a content provider and provide its content and services to other apps. If Gmail wants to link a file to an email, it can do so by displaying a list of available file content providers installed on your phone (this is basically an “open with” dialog box) and the user can select their favorite file manager. navigate through their storage and send the file they want to Gmail. It’s up to developers to disable these cross-application features and simply expose the necessary file manager capabilities to Gmail and other applications.
It does not seem to have given much attention to the need to disinfect the ability of content providers. The report states: “The developer behind this has disabled the exported feature via android: exported =” false “, but enabled the feature of android: grantUriPermissions =” true “, indicating that any third party can still temporarily read / write access to the content provider’s data. “Some permissions are normal, but Trend Micro has found that ShareIt does not try to scope its permissions at all and that it will gladly serve files on any application. A malicious developer only needs to request the ShareIt file content provider and provide a file path for the developer to retrieve the files that make up the ShareIt app.
The file paths that ShareIt provides are limited to its own data files, but this means that applications can modify the data that ShareIt uses to run, including the app cache generated during installation and runtime. The report states that an attacker could produce a fake [app cache] file, and then replace the files via the aforementioned vulnerability to execute code execution. ‘Normally these files are stored privately, but ShareIt’s private storage is open to the world.
ShareIt also comes with its own Android app installer. Since the private storage is no longer ‘private’, it repeats the same mistakes we saw in Epic’s Fornite installer. It downloads app install files to world-readable storage, where it is vulnerable to a “Man-in-the-disk” attack. App install files need to be protected in private storage before they are installed, but in public storage the installation package can be swapped once downloaded but before installation time. Then the user thinks he is installing the good app he just downloaded, but it is actually a scam app.
“The attacker could steal sensitive data”
A whole extra issue is that ShareIt’s game store can apparently download app data over unsecured HTTP, where it could be subject to a man-in-the-middle attack. ShareIt registers itself as the handler for any link that terminates its domains, such as “wshareit.com” or “gshare.cdn.shareitgames.com”, and it appears automatically when users click on a download link. Most programs force all traffic to HTTPS, but ShareIt does not. Chrome will disable HTTP download traffic, so this should be done through a different web interface than the main browser.
Trend Micro concludes by saying, “We have reported these vulnerabilities to the seller, who has not yet responded. We decided to release our research three months after it was reported, as many users may be affected by this attack,” because the attacker could steal sensitive data and do anything with the permission of the apps. “Users should probably uninstall the app ASAP. If you’re looking for a safer file sharing alternative, Google’s file manager can now do local sharing via Wi-Fi and should be written with better security practices.