Mobile cybersecurity firm Wandera has warned that document management apps made by Cometdocs can expose users’ files. Cometdocs has disputed the severity of the findings and has threatened legal action against reporters if they publish what the company considers to be inaccurate articles.
Cometdocs provides an online document management system that enables users to convert, transfer, store and share documents and other files. The company provides tens of iOS and Android applications, as well as a desktop app that works on Windows. Users can connect the apps to their Gmail, Google Drive, iCloud, Dropbox, OneDrive and Box accounts, enabling them to directly convert files stored on these services.
Both free and paid versions of these applications are available and Cometdocs says its services have been used by millions of users. The apps are often installed on enterprise devices.
Wandera started analyzing Cometdocs’ mobile applications after noticing an unencrypted file being uploaded from one of the company’s conversion apps installed on a corporate device. The cybersecurity firm has analyzed many of the Cometdocs applications — all the iOS apps and some randomly selected Android apps — and says they have an almost identical user interface and behavior, and they communicate with servers without using encryption.
“The Cometdocs applications are transferring files without using encryption (via http), providing bad actors the opportunity to cache and retrieve the files. Moreover, a man-in-the-middle (MitM) attacker could access the files while ‘sniffing’ traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting and storing files on its servers, they are allowing private information to leak into the hands of third-parties monitoring the network,” Wandera said.
It added, “The second part of the problem is that shadow IT allows risky apps like these to enter the business environment, where employees might be converting sensitive corporate documents. Without an effective policy in place to address shadow IT in a mobile environment, corporate data is at risk of falling into the wrong hands.”
Wandera has published a video showing how an attacker with access to the targeted user’s network can intercept files transmitted through the Cometdocs apps.
Contacted by SecurityWeek, Cometdocs has had an aggressive attitude and repeatedly threatened legal action “if you get anything factually incorrect or twist our words.”
Is encryption important or pointless?
Cometdocs has argued that its apps comply with Apple and Google’s standards regarding the transmission of data over the internet and that neither companies currently require the use of an HTTPS connection for apps offered on their official application stores.
Wandera, in turn, has argued that it has not claimed Cometdocs violated the terms of the Apple App Store or Google Play store, but that Cometdocs is not following security best practices and puts potentially sensitive information at risk by doing so.
Apple at one point did plan on requiring all iOS apps in the App Store to use HTTPS, but the company appears to have dropped those plans for the time being.
“Just because Apple and Google do not require an app to use secure transport, end users trust their developers to treat sensitive information with the appropriate level of protection,” Michael Covington, VP of Product at Wandera, told SecurityWeek. “And to be clear, encryption is not a foreign concept to CometDocs; they use it in their app to protect the user’s login sequence with cloud storage sites. However, they fail to use encryption when it matters most, to protect the document itself as it is uploaded from the mobile device to the backend service that provides the conversion.”
Wandera says it has attempted to report its findings to Cometdocs on three separate occasions between December 2019 and January 2020 — twice over email and once via the contact form on Cometdocs’ website. Wandera has provided SecurityWeek screenshots showing its attempts to reach out to the vendor.
However, Cometdocs says it has not received any message from Wandera. The company has provided the following statement in response to Wandera’s research:
“Wandera is a venture funded company that has raised $53 million dollars to date. Cometdocs is a small business that offers a simple, free conversion app and has exactly $0 in funding. The reality here is that the Cometdocs app uses transmission protocols that are approved by Apple and Google and are currently used by many many apps. This “security” report is not news and in the view of Cometdocs, is simply an opportunistic attempt by a venture funded company to promote themselves at the expense of a small business.
Wandera claims to have reached out to us by email but we received nothing (perhaps their inquiries went to spam or were not ever sent?) and we never received any phone calls from them, if the matter was so urgent. Finally, Cometdocs wishes Wandera good luck in their attempts to grow their company at the expense of small businesses.”
Covington pointed out in response, “Wandera does not charge or benefit in any way from responsible disclosure — when we notify developers of security issues that have been identified, we are transparent with the discovery and share as many details as possible to help them pinpoint and correct the problem. There are many discoveries that are never made public because developers engage and correct issues before we must notify customers and others who may be impacted by a threat.”
Wandera reported last year that tens of thousands of iOS apps had not used encryption to protect communications.