Bad news this week for any users of the iOS file management apps File Lite and File Pro. Researchers over at Vulnerability Laboratory have published details for three vulnerabilities that they discovered in the latest versions of both apps.
Ranging from low to high risk, two of the vulnerabilities allow for code injection in the user’s browser when they view a file listing, while the most severe vulnerability allows an attacker to upload arbitrary files to a user’s account without any user interaction. While the impact of these vulnerabilities could be quite severe, exploitation requires a victim to be running the app’s Wi-Fi Sharing option.
The Wi-Fi Sharing method for sharing files runs a web server locally on your iPhone. It appears that all of the published vulnerabilities rely on the web server running to be exploited. If you already have the app on your phone and don’t want to lose the documents you have in it, you should be fine leaving the app on your phone, just avoid using the Wi-Fi Sharing option. Although based on the insecurities found by Vulnerability Laboratory, it’s probably not unwise to start using a different app to manage your files.