Mobility has changed the way IT manages productivity tools. In many scenarios, users have the freedom to download whatever app they like on corporate devices and even bring their own devices and software into work.

On one hand, personally enabled computing is empowering and provides users with the ability to get work done on their own terms and at their own pace. On the other hand, unvetted applications being introduced into the workplace puts both the user and company at risk because those applications suddenly have access to a wealth of information, essentially from within the company.

Cometdocs file management apps

Wandera’s threat research team has discovered a number of document management apps (e.g. PDF converters) that fail to use encryption when transferring files between the user and the backend service. This careless handling of data exposes sensitive documents to any casual network observer or eavesdropper and does not require the use of a sophisticated man-in-the-middle attack.

The apps are published by Cometdocs, a company that describes their service as a ‘document management system’ offering conversion, sharing, transfers, and storage of files. Cometdocs currently has 29 iOS apps and 31 Android apps published on the official stores and claims to have over 3 million users according to its website.

Overview of app functionality:

The Cometdocs apps are designed to upload files to the servers used by CometDocs before converting them and sending them back to the user. 

The app allows the user to sign in to popular file hosting services including Gmail, iCloud, DropBox, Google Drive, OneDrive, or Box in order to fetch all the files that the user has stored there. Alternatively, the user can choose to upload a file from their device directly.  

The problem is, the CometDocs mobile apps are transmitting files to the servers without using encryption.

What are the implications?

The first part of the problem is the apps are risky. The Cometdocs applications are transferring files without using encryption (via http), providing bad actors the opportunity to cache and retrieve the files. Moreover, a network eavesdropper could access the files while “sniffing” traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting files, they are allowing private information to leak into the hands of third-parties monitoring the network. 

The second part of the problem is that without an acceptable use policy, risky apps like these can enter the business environment where employees might be converting sensitive corporate documents.

Research timeline

Wandera’s threat research team initially spotted an unencrypted file upload coming from the iOS PDF Converter App installed on a corporate device. The research team then looked into the developer, Cometdocs, and began testing its other file management apps published on the App Store.

Wandera notified Comet Docs of the issue three times between December 2019 and January 2020 but we have not received a direct response yet. We will continue our effort to connect with the developers to help them resolve the issue.

Wandera performed extensive testing of all the iOS apps by CometDocs found on the Apple App Store. 23 of the 29 published apps were confirmed to leak private files; four were “broken” apps that were unable to convert any files provided; two were not file conversion apps.

Following the tests on iOS, Wandera performed a random sampling of the most popular CometDocs apps found on the Google Play Store. This sampling of Android apps was sufficient for us to confirm that the issue was also present on Google’s mobile OS at the time of testing.

Recommendations

Apps sourced by users pose a unique challenge for IT teams as on the one hand they can greatly enhance productivity but on the other hand, they can undermine data security. The more apps you invite into your environment, the more work you need to do to vet their security and support them. 

IT administrators should use a security service that can provide insight into the work applications installed on mobile devices so they can make an assessment based on the value and risk they present.

Wandera customers can use ‘App Insights’ to identify the vulnerable applications that are installed and used by their remote workers. Customers can also use the custom blacklist feature of Mobile Data Policy to block communication between the app and backend server. Detailed remediation steps can be found with the administrative portal. 

Customers without a mobile security solution in place are advised to use caution when uploading sensitive documents to services such as the one identified here.