Connect with us

Android

Researcher shows how popular app ES File Explorer exposes Android device data

Judhajeet Das

Published

on

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has more than 500 million downloads under its belt since 2014, making it one of the most used apps to date. Its simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

A script, developed by a security researcher to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment they open the app.

http://platform.twitter.com/widgets.js

Tech Passionate and Heavy Geek! Into Blogging world since 2014 and never looked back since then :) I am also a YouTube Video Producer and a Aspiring Entrepreneur. Founder, MyDroidDoes

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Android

The consumer version of BBM is shutting down on May 31

Judhajeet Das

Published

on

It might be time to move on from BBM. The consumer version of the BlackBerry Messenger will shut down on May 31. Emtek, the Indonesia-based company that partnered with BlackBerry in 2016, just announced the closure. It’s important to note, BBM will still exist and BlackBerry today revealed a plan to open its enterprise-version of BBM to general consumers.

Starting today, BBM Enterprise will be available through the Google Play Store and eventually from the Apple App Store. The service will be free for the one year and after that, $2.49 for six months of service. This version of the software, like the consumer version, still features group chats, voice and video calls, and the ability to edit and retract messages.

As explained by BlackBerry, BBMe features end-to-end encryption.

BBMe can be downloaded on any device that uses Android, iOS, Windows or MAC operating systems. The sender and recipient each have unique public/private encryption and signing keys. These keys are generated on the device by a FIPS 140-2 certified cryptographic library and are not controlled by BlackBerry. Each message uses a new symmetric key for message encryption. Additionally, TLS encryption between the device and BlackBerry’s infrastructure protects BBMe messages from eavesdropping or manipulation.

BBM is one of the oldest smartphone messaging services. Research in Motion, BlackBerry’s original name, released the messenger in 2005. It quickly became a selling point for BlackBerry devices. BBM wasn’t perfect and occasionally crashed, but it was a robust, feature-filled messaging app when most of the world was still using SMS. Eventually with the downfall of RIM and eventually BlackBerry, BBM fell behind iMessage, WhatsApp, and other independent messaging platforms. Emtek’s partnership with BlackBerry was supposed to bring the service into the current age, but some say the consumer version ended up bloated with games, channels and ads. BlackBerry’s BBMe lacks a lot of those extra features so consumers might find it a better platform for communicating.

Continue Reading

Android

Alibaba will let you find restaurants and order food with voice in a car

Judhajeet Das

Published

on

Competition in the Chinese internet has for years been about who controls your mobile apps. These days, giants are increasingly turning to offline scenarios, including what’s going on behind the dashboard in your car.

On Tuesday, Alibaba announced at the annual Shanghai Auto Show that it’s developing apps for connected cars that will let drivers find restaurants, queue up and make reservations at restaurants, order food and eventually complete a plethora of other tasks using voice, motion or touch control. Third-party developers are invited to make their in-car apps, which will run on Alibaba’s operating system AliOS.

Rather than working as standalone apps, these in-car services come in the form of “mini apps,” which are smaller than regular ones in exchange for faster access and smaller file sizes, in Alibaba’s all-in-one digital wallet Alipay . Alibaba has other so-called “super apps” in its ecosystem, such as marketplace Taobao and navigation service AutoNavi, but the payments solution clearly makes more economic sense if Alibaba wants people to spend more while sitting in a four-wheeler.

There’s no timeline for when Alibaba will officially roll out in-car mini apps, but it’s already planning for a launch, a company spokesperson told TechCrunch.

Making lite apps has been a popular strategy for China’s internet giants operating super apps that host outside apps, or “mini-apps”; that way users rarely need to leave their ecosystems. These lite apps are known to be easier and cheaper to build than a native app, although developers have to make concessions, like giving their hosts a certain level of access to user data and obeying rules as they would with Apple’s App Store. For in-car services, Alibaba says there will be “specific review criteria for safety and control” tailored to the auto industry.

alios cars alibaba

Photo source: Alibaba

Alibaba’s move is indicative of a heightened competition to control the operating system in next-gen connected cars. For those who wonder whether the e-commerce behemoth will make its own cars given it has aggressively infiltrated the physical space, like opening its own supermarket chain Hema, the company’s solution to vehicles appears to be on the software front, at least for now.

In 2017, Alibaba rebranded its operating system with a deep focus to put AliOS into car partners. To achieve this goal, Alibaba also set up a joint venture called Banma Network with state-owned automaker SAIC Motor and Dongfeng Peugeot Citroen, which is the French car company’s China venture, that would hawk and integrate AliOS-powered solutions with car clients. As of last August, 700,000 AliOS-powered SAIC vehicles had been sold.

Alibaba competitors Tencent and Baidu have also driven into the auto field, although through slightly different routes. Baidu began by betting on autonomous driving and built an Android-like developer platform for car manufacturers. While the futuristic plan is far from bearing significant commercial fruit, it has gained a strong foothold in self-driving with the most mileage driven in Beijing, a pivotal hub to test autonomous cars. Tencent’s car initiatives seem more nebulous. Like Baidu, it’s testing self-driving and like Alibaba, it’s partnered with industry veterans to make cars, but it’s unclear where the advantage lies for the social media and gaming giant in the auto space.

Continue Reading

Android

Waymo launches robotaxi app on Google Play

Judhajeet Das

Published

on

Waymo is making its ride-hailing app more widely available by putting it on the Google Play store as the self-driving car company prepares to open its service to more Phoenix residents.

The company, which spun out to become a business under Alphabet, launched a limited commercial robotaxi service called Waymo One in the Phoenix area in December. The Waymo One self-driving car service, and accompanying app, was only available to Phoenix residents who were part of its early rider program, which aimed to bring vetted regular folks into its self-driving minivans.

Technically, Waymo has had Android and iOS apps for some time. But interested riders would only gain access to the app after first applying on the company’s website. Once accepted to the early rider program, they would be sent a link to the app to download to their device.

The early rider program, which launched in April 2017, had more than 400 participants the last time Waymo shared figures. Waymo hasn’t shared information on how many people have moved over to the public service, except to say “hundreds of riders” are using it.

Now, with Waymo One launching on Google Play, the company is cracking the door a bit wider. However, there will be still be limitations to the service.

Interested customers with Android devices can download the app. Unlike a traditional ride-hailing service, like Uber or Lyft, this doesn’t mean users will get instant access. Instead, potential riders will be added to a waitlist. Once accepted, they will be able to request rides in the app.

These new customers will first be invited into Waymo’s early rider program before they’re moved to the public service. This is an important distinction, because early rider program participants have to to sign non-disclosure agreements and can’t bring guests with them. These new riders will eventually be moved to Waymo’s public service, the company said. Riders on the public service can invite guests, take photos and videos and talk about their experience.

“These two offerings are deeply connected, as learnings from our early rider program help shape the experience we ultimately provide to our public riders,” Waymo said in a blog post Tuesday.

Waymo has been creeping toward a commercial service in Phoenix since it began testing self-driving Chrysler Pacifica minivans in suburbs like Chandler in 2016.

The following year, Waymo launched its early rider program. The company also started testing empty self-driving minivans on public streets that year.

Waymo began in May 2018 to allow some early riders to hail a self-driving minivan without a human test driver behind the wheel. More recently, the company launched a public transit program in Phoenix focused on delivering people to bus stops and train and light-rail stations.

Continue Reading
Advertisement

Trending Now!