Researcher shows how popular app ES File Explorer exposes Android device data

[alimac]

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has over 500 million downloads
under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

source
Researcher shows how popular app ES File Explorer exposes Android device data

more info
Here's why we're removing ES File Explorer from our best apps lists | AndroidPIT

Other option
MiXplorer

 

[spud1966]

OMG been using that for ages as well

Cheers for the heads up m8

 

[joeblaze]

i have it on every device. is there another app as good i should change to?

 

[spud1966]

just installed the one posted by @alimac looks good

MiXplorer

 

[joeblaze]

cheers @spud1966 and @alimac i will give that a go. i liked es explorer because it allowed me to use google drive on my fire tv and other firestick. hope i can do it on mixplorer

 

[spud1966]

Has got FTP on that one but not had time to play with it yet m8

 

[alimac]

another option is Cx file explorer for anyone want to play around