Android app with 100 million installs allows attackers to download photos and videos from device


Originally published at:

A vulnerability in an Android file manager app that is installed on more than 100 million devices, makes it possible for an attacker to download files, including videos and pictures, from a victim’s device when they are both on the same network.


Pity. This app has become so bloated and full of adware crap that many folks have reverted to an ancient, early version which serves the purpose without all of the annoyances. Knowing that it has an unpatched security hole is reason enough to dump the app entirely, as fixing the hole means going back (forward) to the bloated annoying version.


I’m confused… why does a file browser contain an HTTP server? I honestly can’t think of a single reason for a file browser to have any kind of server, much less an HTTP server.


That’s part of the bloat. With each new revision, ES adds new features in an effort to turn itself into an all-inclusive, all-in-one utility. Plus embedded advertising and intrusive in-your-face come-ons (em … er … “in-app purchases”…) to “unlock” additional functions. One of those functions includes the ability to share files over a network.


I guess that makes sense. Personally, I’d rather have a program that does one thing, and does it really well. (Darn us Unix people, with our logic.)