Thursday 7 January 2021

P2P mobile file transfer apps open to attacks, researchers find

 Security vulnerabilities in the direct file transfer applications of popular smartphone makers allow attackers to send malicious files to mobile devices, a security researcher has found.

In a study of the peer-to-peer (P2P) file-sharing features of Android phones manufactured by Huawei, LG, and Xiaomi, Doyensec application security engineer Lorenzo Stella found shared design flaws that allowed malicious apps to easily hijack transfer sessions.Previous research on the WiFi Direct protocol focused on the network architecture, covering the discovery and connection processes and the various frame formats.

“We instead focused on what happens after a local P2P WiFi connection is created between two devices, specifically in the application layer, analyzing file transfer applications featured in many custom Android ROM shipped by the various vendors,” Stella told The Daily Swig. Most OEMs use a File Transfer Controller or Client (FTC) and a File Transfer Server (computer science engineering) to establish WiFi connections between devices, manage sessions, and transfer files.

In his research, Stella found that after the P2P WiFi connection is established, its interface will become available to every application that has android.permission.INTERNET. Because of this, local apps can interact with the FTS and FTC services spawned by the file sharing applications on the local or remote device clients, opening the door to a multitude of attacks,” Stella wrote in a blog post that details the vulnerabilities.

No comments:

Post a Comment

How the Global Talent Stream functions

 There are two classes under the GTS: Category An and Category B. The two classifications help Canadian managers select profoundly gifted ab...