ShareIt Android File Sharing App Has Deep Security Flaws

An Android app used by a significant portion of the world’s population also has glaring security flaws that would allow a savvy hacker to steal a user’s data or even hijack the app’s operations using arbitrary code. .

ShareIt, who claims to have more than 1 billion global downloads, is the product of a developer based in Singapore Smart Media4U. Its main feature is peer-to-peer file sharing, which gives users the ability to exchange photos, music, videos, gifs, etc. The app, which has followed an upward trajectory in recent years, has recognized for its rapid growth and global reach.

But it also apparently has software vulnerabilities that would allow a bad actor to easily disclose a user’s data or even execute arbitrary code by abusing ShareI.t authorizations, according to a new report from Trend Micro.

The report shows that one of the main vulnerabilities of the app stems from the way it shares information and permissions with other apps. Indeed, due to the way Android phones are set up to share information between different programs, the platform has a the story bad actors trying to exploit and leverage inter-application communication malicious purposes. Specifically, “bad appsOr programs run secretly by a bad actor may find ways to access data on legitimate applications.

Share it is designed to open the doors widely to other data exchange applications through its content provider interface. According to the researchers, these vulnerabilities could allow “any third party” “to gain temporary read / write access to the [app’s] data from the content provider. This would essentially allow the application to be hijacked to run “custom code, overwrite local application files, or install third-party applications without the user’s knowledge.” ZDNet Notes.

Orient yourself Micro-researchers discovered this vulnerability by doing it themselves. By manipulating the way apps in the Android ecosystem talk to each other, they found that the ShareIt app would share far too much information, revealing a user’s’ arbitrary activities, including ShareIt internal (non-public) and external application activities. In various ways, these security holes could ultimately be “abused to disclose a user’s sensitive data and execute arbitrary code with ShareIt permissions,” the researchers write.

Probably the worst part of the whole report is the fact that Trend Micro claims to have shared these security issues with Smart Media4U about three months ago and the company has apparently done nothing. The report concludes:

We have reported these vulnerabilities to the vendor, who has yet to respond. We have decided to disclose our research three months after reporting it because many users could be affected by this attack as the attacker can steal sensitive data and do anything with permission from apps.

This is also not the first time that ShareIt has been flagged as a security risk. The app was actually blacklisted by the United States in January, when a vague-worded Trump White House executive order listed it as one of several “connected to China” apps that Americans should avoid for fear of knowing where their data might end up. Stepping out of the door, Trump launched a blitz of such orders targeting the Asian tech sector, most of which appeared designed to antagonize and isolate Chinese companies. The order proclaims:

The United States has assessed that a number of Chinese connected software applications automatically capture vast areas of information from millions of users in the United States, including sensitive personal information and private information. At this point, action should be taken to deal with the threat posed by these connected Chinese software applications …

A ton of Americans are unlikely to actually use ShareIt. Industry Selling Points seem to show that a majority of the app’s user base is in the Middle East, Africa and Asia (this was recently banned in India, where the government has banned its military personnel from using the app due to data security concerns). However, if you downloaded ShareIt and you’re using it for some reason, maybe it would be better to rethink that decision.

We’ve reached out to Smart Media4U for feedback and will update this story if we get back to you.