Cybersecurity company Wandera found that some 23 iOS file-conversion apps used by three million people fail to use encryption, potentially putting the documents at risk.
All the apps in question were created by a single developer, Cometdocs, but Wandera says that the discovery raises a broader security issue…
Cometdocs makes apps that convert documents between different file formats. For example, from Word to PDF, or from PDF to Powerpoint.
The problem is that the conversion itself takes place on a Cometdocs server, and both the original and converted documents are sent without any form of encryption.
In a nutshell, the Cometdocs apps are designed to upload files to the Cometdocs servers before converting them and sending them back to the user.
The app allows the user to sign in to popular file hosting services including Gmail, iCloud, DropBox, Google Drive, OneDrive, or Box in order to fetch all the files that the user has stored there. Alternatively, the user can choose to upload a file from their device directly.
The problem is […] the Cometdocs applications are transferring files without using encryption (via http), providing bad actors the opportunity to cache and retrieve the files. Moreover, a man-in-the-middle (MitM) attacker could access the files while “sniffing” traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting and storing files on its servers, they are allowing private information to leak into the hands of third-parties monitoring the network.
Additionally, some of the free apps appear to be deceptive, making users wait a very long time for a free conversion, or pay for an immediate one. Some users complain of waiting 60-90 minutes or more.
The full list of affected iOS file-conversion apps can be found below. Wandera contacted the developer three times over the past three months but has received no response.
Wandera says it isn’t just a problem with these apps, however: there is the broader issue of users using unapproved services with confidential business documents.
In the emerging enterprise edge, shadow IT is taking on new meaning. It used to refer to unapproved apps people installed on their work-assigned desktops. Today, employees are using personal or unmanaged devices that have unrestricted access to a whole world of apps and services, including those they might think are safe for work such as cloud storage apps and PDF converters. Unfiltered access to these unapproved services increasingly undermines cloud security efforts and exposes sensitive data because there is no way for IT to understand or control where sensitive corporate IP is going and how it is getting there.
Organizations with proper mobile device management solutions should already be locking down corporate data using Apple’s Configuration Profiles for iOS, but not all businesses take advantage of these.
Conversion apps which fail to use encryption:
- Audio Converter by Cometdocs – Convert Audio Files
- Video Converter – Convert Video Files
- Compress PDF – Make PDF Smaller
- PDF Merge – Combine PDF Documents
- JPG to PDF Converter
- XPS to PDF Converter – Convert XPS files to PDF
- Save as PDF – from Anywhere – Convert Text, Word, Excel, OpenOffice, LibreOffice and other files to PDF – All in one PDF Converter
- Image to Text Converter – OCR
- Image to Excel Converter – OCR
- Image to Word Converter – OCR – Convert photos to Word documents
- PDF Creator – PowerPoint edition
- PDF Creator – Word edition
- DOC to DOCX
- DOCX to DOC
- PDF to AutoCAD Converter – Convert PDF to DWG
- PDF to Text Converter with OCR
- PDF to PowerPoint Converter
- PDF to Excel Converter – OCR
- PDF to JPG Converter (JPEG)
- Publisher to PDF Converter
- PDF Converter Ultimate – All In One Converter
- PDF to Word Converter with OCR
- MP3 Converter – Convert Videos and Music to MP3
Unusable apps (never provide the promised conversion):
- XPS to Word Converter – Convert XPS files to Word
- Publisher to Word
- Resumable File Transfer by Cometdocs
- Scanned PDF to Word