I wanted sharing, but this is too much sharing —

“ShareIt” Android app with over a billion downloads is a security nightmare

Trend Micro audited one of Android's most popular file-sharing apps. It's not good.

You can't argue with that green "safe" shield.
Enlarge / You can't argue with that green "safe" shield.

Trend Micro says it has found "several" security flaws in the popular Android app ShareIt. ShareIt has been downloaded over a billion times from the Play Store, and, according to App Annie, was one of the 10 most globally downloaded apps in 2019. The app was originally developed by Lenovo (it has since spun off into its own company) and for a time was pre-installed on Lenovo phones.

The report says ShareIt's vulnerabilities can "be abused to leak a user's sensitive data and execute arbitrary code with ShareIt permissions." ShareIt's permissions, as a local file-sharing app, are pretty extensive. According to the Play Store permissions readout, ShareIt requests access to the entire user storage and all media, the camera and microphone, and location. It can delete apps, run at startup, create accounts and set passwords, and do a whole lot more. It also has full network access. Trend Micro says compromising the app can lead to remote code execution. The security firm says it shared these vulnerabilities with ShareIt three months ago, but the company has yet to issue patches.

ShareIt's incredible success of a billion Android downloads and 1.8 billion users worldwide (there are also iOS, Windows, and Mac apps) has led to what looks like an incredible amount of app bloat. The app was considered one of the best for local file sharing, but today the Play Store listing shows an app that offers "Infinite Online Videos," "Tens of millions of high-quality songs," "GIFs, Wallpapers & Stickers," a "popular" media section that looks like a social network, a game store, a retail movie download section, COVID-19 check-in activity and case statistics, and what looks like its own form of currency. ShareIt's website (which, just like the app, does not default to HTTPS) says the service is "now a leading content platform" and popular in Southeast Asia, South Asia, the Middle East, Africa, and Russia.

When private storage isn’t private

Trend Micro's report details a laundry list of bad decisions made while designing ShareIt that could make it more susceptible to malicious code. One problem is a common Android app vulnerability that arises when developers set up a content provider incorrectly. Android prides itself on intra-app communication, partly because any app can create a content provider and provide its content and services to other apps. If Gmail wants to attach a file to an email, it can do that by showing a list of available file-content providers installed on your phone (it's basically an "open with" dialog box), and the user can pick their favorite file manager, navigate through their storage, and pass the file they want to Gmail. It's up to developers to sanitize these cross-app capabilities and only expose the necessary file manager capabilities to Gmail and other apps.

ShareIt doesn't seem to have given much thought to the need to sanitize its content-provider capabilities. The report says: "The developer behind this disabled the exported attribute via android:exported="false", but enabled the android:grantUriPermissions="true" attribute. This indicates that any third-party entity can still gain temporary read/write access to the content provider's data." Passing along some permissions is normal, but Trend Micro found that ShareIt doesn't try to scope down its permissions at all and will happily serve up its files to any app that asks. A malicious developer needs to only call on the ShareIt's file-content provider and pass it a file path for the developer to get back any of the files in ShareIt's "private" directory.

The file paths ShareIt will offer up are limited to its own data files, but that means apps can edit the data ShareIt uses to run, including the app cache that gets generated during install and runtime. The report says that "an attacker may craft a fake [app cache] file, then replace those files via the aforementioned vulnerability to perform code execution." Normally these files live in private storage, but ShareIt's private storage is open to the world.

ShareIt also comes with its own Android app installer. With its private storage no longer being "private," it repeats the same mistakes we saw in Epic's Fornite installer. It downloads app install files to world-readable storage, where they are vulnerable to a "Man-in-the-disk" attack. App install files need to be protected in private storage before they are installed, but in public storage, the install package could be swapped out as soon as it is downloaded but before install time. Then the user thinks they're installing the good app they just downloaded, but it's actually an imposter malicious app.

“The attacker can steal sensitive data”

A whole extra problem is that ShareIt's game store can apparently download app data over unsecured HTTP, where it can be subject to a man-in-the-middle attack. ShareIt registers itself as the handler for any link that ends its domains, like "wshareit.com" or "gshare.cdn.shareitgames.com," and it will automatically pop up when users click on a download link. Most apps force all traffic to HTTPS, but ShareIt does not. Chrome will shut down HTTP download traffic, so this would have to be done through a Web interface other than the main browser.

Trend Micro ends by saying, "We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack, because the attacker can steal sensitive data and do anything with the apps' permission." Users should probably uninstall the app ASAP. If you're looking for a more secure file-sharing alternative, Google's file manager can do local sharing over Wi-Fi now and should be written with better security practices.

Listing image by Erikona / iStock / Getty

Channel Ars Technica