Popular document management apps expose sensitive files
Today's employees have access to a vast range of apps on their personal devices, but this can serve to undermine enterprise security because it's hard for IT teams to understand or control where sensitive corporate IP is going and how it's getting there.
The threat research team at Wandera has discovered a number of document management apps from Cometdocs that fail to use encryption when transferring files between the user and the backend service.
This careless handling of data exposes sensitive documents to any casual network observer or eavesdropper and does not require the use of a sophisticated man-in-the-middle attack.
Cometdocs describes its service as a 'document management system' offering conversion, sharing, transfers, and storage of files. It currently has 29 iOS apps and 31 Android apps published on the official stores and claims to have over three million users according to its website.
The Cometdocs apps are designed to upload files to the servers used by Cometdocs before converting them and sending them back to the user. However, the files are sent to the servers without encryption. This offers bad actors the opportunity to cache and retrieve the files. Moreover, a network eavesdropper could access the files while 'sniffing' traffic on the same Wi-Fi network as the user.
Wandera notified Cometdocs of the issue three times between December 2019 and January 2020 but has not yet received a direct response.
You can see the full research on the Wandera blog.