On the Insecurities of Mobile D2D File Sharing Applications

With more than 1.3 Billion in the cumulative number of downloads reported, the top six applications compete in the niche of Wi-Fi Direct D2D file sharing on Android. With the highest userbase in India and Indonesia, ShareIT itself reports the number of active users of their application on desktop and mobile devices exceeding 1.8 billion, ranked top 7 globally by the number of downloads on Google Play and Apple App Store in 2018. Wi-Fi Direct, also known as Wi-Fi P2P, is commonly used for peer-to-peer, high-speed file transfer between mobile devices, as well as a close proximity connection mode for wireless cameras, network printers, TVs and other IoT and mobile devices. For its end users, such type of direct file transfer does not result in cellular data charges and allows to keep their primary Wi-Fi interface up concurrently with a dedicated Wi-Fi P2P interface, which is commonly provided by the default wireless module of the mobile phone. However, despite the popularity of these solutions demonstrated by Google Play download statistics, we observe that the software vendors tend to prioritize the ease of user flow over the security of the implementation, introducing serious security flaws. We perform a comprehensive security analysis in the context of security and usability behind the identified flaws and report our findings in the form of 16 Common Vulnerabilities and Exposures (CVE), disclosed to the corresponding vendors. To address the similar flaws at the early stage of the application design, we propose a joint consideration of Security and Usability for such applications and their protocols that can be visualized in form of a User Journey Map (UJM).