Millions of iOS users deal with apps dedicated to convert files – to transform, for example, Word or PowerPoint documents into PDFs or the like. Of these millions of users, most of them use these applications in business contexts, converting potentially confidential files. It is to be expected, therefore, that these apps bring a good dose of security and privacy, right? Well … in some cases, no.
A recent survey by the cybersecurity company Wandera revealed that nothing less than 23 applications conversion and file management tools used by more than 3 million users, do not deliver on what is promised in a basic security aspect: the cryptography. In other words, apps send files to the servers of the responsible companies, where they will be converted, without any protection – potentially putting the privacy of millions of users at risk.
The 23 apps are all from the same developer, the Cometdocs. Their names are listed below:
- Audio Converter by Cometdocs – Convert Audio Files
- Video Converter – Convert Video Files
- Compress PDF – Make PDF Smaller
- PDF Merge – Combine PDF Documents
- JPG to PDF Converter
- XPS to PDF Converter – Convert XPS files to PDF
- Save as PDF – from Anywhere – Convert Text, Word, Excel, OpenOffice, LibreOffice and other files to PDF – All in one PDF Converter
- Image to Text Converter – OCR
- Image to Excel Converter – OCR
- Image to Word Converter – OCR – Convert photos to Word documents
- PDF Creator – PowerPoint edition
- PDF Creator – Word edition
- DOC to DOCX
- DOCX to DOC
- PDF to AutoCAD Converter – Convert PDF to DWG
- PDF to Text Converter with OCR
- PDF to PowerPoint Converter
- PDF to Excel Converter – OCR
- PDF to JPG Converter (JPEG)
- Publisher to PDF Converter
- PDF Converter Ultimate – All In One Converter
- PDF to Word Converter with OCR
- MP3 Converter – Convert Videos and Music to MP3
All apps work similarly: you can manually upload files saved to your iPhone / iPad memory to convert them, or connect apps to your cloud service accounts (like iCloud, Gmail, Google Drive, OneDrive or Dropbox) to rescue files faster. Once the file is selected, it is sent to Cometdocs’ servers (without encryption), converted and sent back to your device in the new format.
The problem discovered by Wandera has two sides: first, files sent unprotected to Cometdocs’ servers can be obtained and analyzed by the developer, which already represents a security risk in itself. Most worrying, however, is to note that this unencrypted file exchange exposes the user to a series of attacks, allowing potential malicious agents to capture these documents by hacking into Wi-Fi networks or scanning the file cache.
The cybersecurity firm noted that the issue is not restricted to Cometdocs, as both the App Store and Google Play are full of unreliable conversion apps. This poses a serious security problem – especially considering that millions of corporate users use these apps on their devices provided by companies, potentially exposing confidential files in this simple (and seemingly harmless) conversion process.
So, here’s the tip: being an “ordinary” or corporate user, always check the reputation of the developers and the apps you use. Nothing very new here, is it?