When it comes to file explorer apps for Android, ES File Explorer is undoubtedly one of the most popular apps. I, myself, use the app for managing files and folders on my smartphone. However, it came as shock for me that ES File Explorer has a hidden web server running in the background and my data could be accessed by anyone with a simple script.
Baptiste Robert, a French security researcher, who is famous for exposing vulnerabilities in websites and apps, has exposed the file explorer app in a series of tweets.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
He demonstrated the exfiltration of data by writing a simple script. He managed to export pictures, names of apps installed on your Android device, videos and even the files installed on the mounted memory card. By using the script, a bad actor could also launch an app in the victim’s smartphone remotely.
However, for extracting your data, the attacker must be on the same network as your device which means that it is not a vulnerability that could be exploited by anyone on the internet. But, the open port could be exploited by any malicious app that has the required network permissions.
ES File Explorer hasn’t responded to the allegations yet. Interestingly, the app has more than 500 million downloads on the Google Play Store.
With more and more Android apps donning the robe of data thieves, it is Play Store’s responsibility to ensure that users’ data remains safe, especially from the apps that could access files stored on your device.