Cybersecurity company Wandera found that some 23 iOS file-conversion apps used by three million people fail to use encryption, potentially putting the documents at risk.

All the apps in question were created by a single developer, Cometdocs, but Wandera says that the discovery raises a broader security issue…

Cometdocs makes apps that convert documents between different file formats. For example, from Word to PDF, or from PDF to Powerpoint.

The problem is that the conversion itself takes place on a Cometdocs server, and both the original and converted documents are sent without any form of encryption.

In a nutshell, the Cometdocs apps are designed to upload files to the Cometdocs servers before converting them and sending them back to the user.

The app allows the user to sign in to popular file hosting services including Gmail, iCloud, DropBox, Google Drive, OneDrive, or Box in order to fetch all the files that the user has stored there. Alternatively, the user can choose to upload a file from their device directly.

The problem is […] the Cometdocs applications are transferring files without using encryption (via http), providing bad actors the opportunity to cache and retrieve the files. Moreover, a man-in-the-middle (MitM) attacker could access the files while “sniffing” traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting and storing files on its servers, they are allowing private information to leak into the hands of third-parties monitoring the network.

Additionally, some of the free apps appear to be deceptive, making users wait a very long time for a free conversion, or pay for an immediate one. Some users complain of waiting 60-90 minutes or more.

The full list of affected iOS file-conversion apps can be found below. Wandera contacted the developer three times over the past three months but has received no response.

Wandera says it isn’t just a problem with these apps, however: there is the broader issue of users using unapproved services with confidential business documents.

In the emerging enterprise edge, shadow IT is taking on new meaning. It used to refer to unapproved apps people installed on their work-assigned desktops. Today, employees are using personal or unmanaged devices that have unrestricted access to a whole world of apps and services, including those they might think are safe for work such as cloud storage apps and PDF converters. Unfiltered access to these unapproved services increasingly undermines cloud security efforts and exposes sensitive data because there is no way for IT to understand or control where sensitive corporate IP is going and how it is getting there.

Organizations with proper mobile device management solutions should already be locking down corporate data using Apple’s Configuration Profiles for iOS, but not all businesses take advantage of these.

Conversion apps which fail to use encryption:

  1. Audio Converter by Cometdocs – Convert Audio Files
  2. Video Converter – Convert Video Files
  3. Compress PDF – Make PDF Smaller
  4. PDF Merge – Combine PDF Documents
  5. JPG to PDF Converter
  6. XPS to PDF Converter – Convert XPS files to PDF
  7. Save as PDF – from Anywhere – Convert Text, Word, Excel, OpenOffice, LibreOffice and other files to PDF – All in one PDF Converter
  8. Image to Text Converter – OCR
  9. Image to Excel Converter – OCR
  10. Image to Word Converter – OCR – Convert photos to Word documents
  11. PDF Creator – PowerPoint edition
  12. PDF Creator – Word edition
  13. DOC to DOCX
  14. DOCX to DOC
  15. PDF to AutoCAD Converter – Convert PDF to DWG
  16. PDF to Text Converter with OCR
  17. PDF to PowerPoint Converter
  18. PDF to Excel Converter – OCR
  19. PDF to JPG Converter (JPEG)
  20. Publisher to PDF Converter
  21. PDF Converter Ultimate – All In One Converter
  22. PDF to Word Converter with OCR
  23. MP3 Converter – Convert Videos and Music to MP3

Unusable apps (never provide the promised conversion):

  1. XPS to Word Converter – Convert XPS files to Word
  2. Publisher to Word
  3. Resumable File Transfer by Cometdocs
  4. Scanned PDF to Word

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear