ShareIt's security flaws are yet another good reason to switch to Nearby Share
What you need to know
- ShareIt has been found to have serious security vulnerabilities by Trend Micro security researchers.
- Some of the documented issues would lead to user data being exposed or stolen.
- The developers had been notified of their concerns three months ago.
The popular file-sharing app, ShareIt, has been critiqued his week for several vulnerabilities that — if exploited —could allow bad actors to steal your data.
In a post sharing these vulnerabilities (via Ars Technica), the researchers over at Trend Micro said:
Most of the danger comes from ShareIt's position as a file manager of sorts. The app allows users to share files with other users remotely as such it has a lot of permissions. It needs to be able to see all your files and apps work to effectively, it also needs network access. When it comes down to it, ShareIt has a lot of power, but it doesn't secure it properly.
As a result of how the app is coded, ShareIt can now serve up files to third-party apps which request it, even private ones which aren't meant to be shared. Trend Micro notes that "any third-party entity can still gain temporary read/write access to the content provider's data." and that " all files in the /data/data/
[[ package ]] folder can be freely accessed." This means that a malicious developer can build an app and gain access to all of ShareIt's files cache. It can then use that access to run remote code execution via writing and swapping in its own fake app cache files, according to the researchers.
Trend Micro also noted that ShareIt was vulnerable to a man in the middle attack. When downloading apps to install via ShareIt's own app installer, a bad actor can replace the downloaded APK with an APK of their choosing, and ShareIt will install it all the same. Once a duplicated APK is installed, a target user's credentials may then be stolen, similar to websites created for phishing.
Trend Micro's researchers did say that these vulnerabilities were likely unintentional, but they also noted:
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
While having a security flaw isn't a crime, ShareIt's lack of response and acknowledgment of the situation is a little worrying. If you're an Android user mostly sharing files with other Android users, ShareIt can be replaced by Google's native Nearby Share with ease. It's already built into most Android phones, can now share apps in addition to files, and its freely accessible via the share sheet, much like Apple's AirDrop,
But Google's ease of use isn't the only reason you're going to want to hop onto ShareIt. The app has already been banned in India, and a U.S. ban could be just days away, barring any changes from the current administration.