23 file conversion apps for iOS have serious security flaw

23 file conversion apps for iOS have serious security flaw

Millions of iOS users deal with apps dedicated to convert files – to transform, for example, Word or PowerPoint documents into PDFs or the like. Of these millions of users, most of them use these applications in business contexts, converting potentially confidential files. It is to be expected, therefore, that these apps bring a good dose of security and privacy, right? Well … in some cases, no.

A recent survey by the cybersecurity company Wandera revealed that nothing less than 23 applications conversion and file management tools used by more than 3 million users, do not deliver on what is promised in a basic security aspect: the cryptography. In other words, apps send files to the servers of the responsible companies, where they will be converted, without any protection – potentially putting the privacy of millions of users at risk.

The 23 apps are all from the same developer, the Cometdocs. Their names are listed below:

  1. Audio Converter by Cometdocs – Convert Audio Files
  2. Video Converter – Convert Video Files
  3. Compress PDF – Make PDF Smaller
  4. PDF Merge – Combine PDF Documents
  5. JPG to PDF Converter
  6. XPS to PDF Converter – Convert XPS files to PDF
  7. Save as PDF – from Anywhere – Convert Text, Word, Excel, OpenOffice, LibreOffice and other files to PDF – All in one PDF Converter
  8. Image to Text Converter – OCR
  9. Image to Excel Converter – OCR
  10. Image to Word Converter – OCR – Convert photos to Word documents
  11. PDF Creator – PowerPoint edition
  12. PDF Creator – Word edition
  13. DOC to DOCX
  14. DOCX to DOC
  15. PDF to AutoCAD Converter – Convert PDF to DWG
  16. PDF to Text Converter with OCR
  17. PDF to PowerPoint Converter
  18. PDF to Excel Converter – OCR
  19. PDF to JPG Converter (JPEG)
  20. Publisher to PDF Converter
  21. PDF Converter Ultimate – All In One Converter
  22. PDF to Word Converter with OCR
  23. MP3 Converter – Convert Videos and Music to MP3

All apps work similarly: you can manually upload files saved to your iPhone / iPad memory to convert them, or connect apps to your cloud service accounts (like iCloud, Gmail, Google Drive, OneDrive or Dropbox) to rescue files faster. Once the file is selected, it is sent to Cometdocs’ servers (without encryption), converted and sent back to your device in the new format.

The problem discovered by Wandera has two sides: first, files sent unprotected to Cometdocs’ servers can be obtained and analyzed by the developer, which already represents a security risk in itself. Most worrying, however, is to note that this unencrypted file exchange exposes the user to a series of attacks, allowing potential malicious agents to capture these documents by hacking into Wi-Fi networks or scanning the file cache.

The cybersecurity firm noted that the issue is not restricted to Cometdocs, as both the App Store and Google Play are full of unreliable conversion apps. This poses a serious security problem – especially considering that millions of corporate users use these apps on their devices provided by companies, potentially exposing confidential files in this simple (and seemingly harmless) conversion process.

So, here’s the tip: being an “ordinary” or corporate user, always check the reputation of the developers and the apps you use. Nothing very new here, is it?

via 9to5Mac