Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors

DEF CON 27

Presented by: Huiming Liu, Xiangqian Zhang
Date: Sunday August 11, 2019
Time: 10:00 - 10:45
Location: Track 4

Nearby sharing apps are very convenient and fast when you want to transfer files and have been pre-installed on billions of devices. However, we found that most of them will also open a door for attackers to steal your files and even more.

First, we did a comprehensive research about all top mobile vendors' pre-installed nearby sharing apps by reverse engineering. Many serious vulnerabilities are found on most of them and reported to vendors. Algorithm and design flaws in these apps can lead to file leaking and tampering, privacy leaks, arbitrary file downloads and even remote code execution. We will present all the related vulnerabilities' details and exploit techniques. Next, we conducted the same research on lots of third-party file sharing apps and found that they are even worse about security and are used by surprising more than 1 billion users. Files transferred between them are nearly naked when our MITM attack devices are nearby. Finally, we will summarize all the attack vectors and two common attack models. We will also present the attack demos and related tools.

Besides, we will present our practical mitigations. Currently, we are working with most of the top vendors to mitigate these vulnerabilities. Through this talk, we want to notify users and mobile vendors to pay more attention to this serious situation and fix it better and sooner.

Xiangqian Zhang

Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Xiangqian found multiple Android kernel and system security vulnerabilities. Twitter: @h3rb0x

Huiming Liu

Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia. Twitter: @liuhm09


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats