Update, January 18, 2019 (01:15 PM ET): Yesterday, we received word from ES App Group, the creators of ES File Explorer. The company informed us that the HTTP vulnerability as described in the article below has been fixed.
However, the new version of the app had to go through an approval process before launching on the Google Play Store. That waiting period is over, as the new version of the application is now live and available for download.
Click the button below to make sure you are on the latest update of ES File Explorer so you are not vulnerable to the previous security flaw.
Original Article, January 16, 2019 (10:07 AM ET): If you use the popular Android app ES File Explorer on any of your Android smartphones or tablets, be careful: a security researcher has found a vulnerability in the app which would allow a hacker to access sensitive information on your device (via TechCrunch).
ES File Explorer — which has over 100 million installs on the Google Play Store — is a very simple and effective file manager app for Android. The app is totally free with an option to upgrade to ES File Manager Pro, which removes advertisements and offers a selection of new features.
According to Baptiste Robert — a French security researcher who uses the alias “Elliot Alderson” in some online forums — the ES File Explorer app includes a tiny hidden web server. Although Robert is not totally certain why the web server is there (he posits it might have to do with streaming video to other apps using HTTP) he did conclude that any hacker on the same network as the device could use the open ports connected to the web server to gain access to the device.
Once the hacker gains access through the open port, they could theoretically take almost any file from the Android device — including photos, videos, text files, etc. — and transfer it to any other server they also had access to. They could also remotely launch apps on the exploited device.
Obviously, this vulnerability only becomes a problem if you are on the same network as the hacker, which usually involves being connected to the same Wi-Fi network. In other words, the dangers of this vulnerability while you are at home are slim-to-none, but the dangers increase exponentially if you are on a public network such as those at coffee shops, airports, libraries, etc.
We attempted to contact ES App Group, the creators of ES File Explorer, to get a statement on this security issue. However, we did not hear back before press time. We will update this article if and when we receive a response (ED: See above for statement).
In the meantime, will this stop you from using ES File Explorer? If so, here’s a list of alternatives, or sound off in the comments with your file explorer app of choice.