This file sharing app is fast and convenient, but beware the trade-offs

2
Send Anywhere allows super-fast file transfers by bypassing the cloud.

Korean software startup Estmob has a file-transfer app that is fast, easy, and totally free. With no required logins or file size limits, the program can send files from any device, to any device, and on any major platform or web browser – features fitting for its name, Send Anywhere.

Since we featured the app last year, tech reviews have been gushing about its simplicity. It even won Tech in Asia’s inaugural Seoul pitch-off in May, earning the team a trip to Singapore.

Send Anywhere allows super-fast file transfers by bypassing the cloud.

All you need to transfer a file is the app and a six-digit number. After opening the program, a user clicks “send,” picks the files, and tells the receiver a simple numerical key that expires after 10 minutes. The receiver enters the key on his device, and the files transfer peer-to-peer in a snap, no matter their location or network. If they need more time, users can also get a 24-hour public link that briefly puts the file on Send Anywhere’s server, where it can be shared with anyone.

Co-founder and chief strategy officer Kang Su-hyuk tells Tech in Asia that Send Anywhere’s strengths are not only in its simplicity and speed, but also its security. Cloud storage is very vulnerable to hacks and subject to data loss, and even the simplest services require a login, which makes it risky and a headache to use on foreign devices, he says. Send Anywhere doesn’t worry much about data loss – instead, it promises to delete the files within 24 hours.

“Cloud-based services are open to these kind of risks. We believe that if you want to keep your privacy and your private content, people should not upload it to a server,” says Kang. “So maybe Send Anywhere can help you avoid the cloud.”

Despite its nebulous logo, Send Anywhere transfers files p2p, only using its server as a cloud for 24-hour storage.

Despite its nebulous logo, Send Anywhere transfers files p2p, only using its server as a cloud for 24-hour storage and delayed transfers.

This strategy has earned it a fanhood of 1 million monthly active users in over 190 countries and a US$1 million backing from Rakuten. But is this app really that much easier and safer than the cloud?

That might depend on who you ask. One security expert tells Tech in Asia that a diligent hacker could clean out every file being transferred through Send Anywhere in 10 minutes.

He also says he was able to run several attacks on the program in less than that amount of time. After being blocked, all he did was switch browsers using the same IP address, meaning he could indefinitely keep carrying out attacks by opening new browser windows.

“From a very brief look, it is clear that either no one with security expertise has reviewed the product, or else the security people they [have] are completely clueless,” says Aviram Jenik, CEO of Silicon Valley-based cybersecurity firm Beyond Security. “If I was Jennifer Lawrence, I wouldn’t send my pictures through this service.”

SendAnywhere6

Send Anywhere’s desktop app. Transfers can also be made through any Web browser.

Simple vs. secure

Jenik, who has worked in IT security for nearly 25 years, stresses that while Send Anywhere is a great business idea and praiseworthy for its ease of use, it’s a mistake for it to be branded as “secure.”

The program’s simplicity is a double-edged sword: Each file gets one six-digit identification number. Given that there are only 1 million possible combinations that are randomly generated and repeated, it would not be difficult to set up a botnet to guess them, Jenik explains.

And if a mega-corporation with 250,000 employees around the world deployed each of their desktop computers to input just four codes each (or if a hacker programmed them to do it for him), they could download every file from Send Anywhere’s servers instantaneously – that includes the 24-hour requests as well as any 10-minute requests that are relayed to a server during a delay in transfer.

This applies not just to hacking, but also to random error – an innocent user could accidentally download the wrong file by inputting the wrong key at the wrong time, Jenik says, stressing that this will be inevitable as the service scales.

“With 1 million combinations, even if we assume all codes expire in exactly 10 minutes, the best they can serve is 100,000 files a minute or 1,700 files per second. That’s a really low number – Dropbox has more than 10,000 uploads a second,” he notes. “Unless I’m missing something big here, I don’t understand why a company would want to limit the number of users it can handle.”

Jenik adds that prevention against brute-force checks is cookie-based. This means that when Send Anywhere’s cookie is created on the user’s device, a hacker can delete it and continue with the attacks. But since the protection is client-side – meaning it’s the user’s browser that prevents the attack, not the company’s server – there is no real protection to the server, he explains.

“[All of this] means I can easily automate the process and […] gather every piece of data that goes through the network at any given time. I have no theoretical problem in doing that every 10 minutes,” Jenik says. “Piece of cake for any government in the world and for most criminal organizations; a bit more effort for the others.”

So, we asked Send Anywhere: Can a hacker get into the server?

mail_install_2

The app is available for all mobile and desktop platforms.

“Maybe,” says CSO Kang, but suggests the risk is lower than with cloud storage. “Our servers have the same threats as a conventional cloud service has. The only difference is we don’t have the responsibility of keeping those files forever, and all the files here expire within 24 hours. That might make it less risky for those kinds of threats – but [the risk] still exists.”

The 24-hour server functions the same as a cloud, but Kang says that since the files are held on the server for such a short time, “there’s nothing to hack.”

The code expires right after the transfer begins, and users on average input the code within two minutes. So it can cut down attacks due to the short time window, but Kang admits that it’s “not impossible” to guess the code. “You can just guess the six-digit code and it happened to be right at the moment, but it’s an extremely low possibility,” he says.

But that doesn’t account for netbot hacking, which can guess codes much, much faster than a human, notes Jenik.

On the other hand, a hacker could go straight for the file instead of the six-digit code. Kang says file hijacking attempts happen “from time to time,” but the program also has server-based protection on top of web cookie-based protection. (Jenik says otherwise about the server protection, as he was able to continue an attack by simply changing browsers whenever he was blocked.)

“File hijacking is one of the issues that we’ve been working to prevent, because it can happen, so we have been building preventing algorithms,” Kang says. So if a hijacker tried multiple rapid hacks, Send Anywhere’s algorithm can identify and block the requests by monitoring and blocking unusual IP address patterns, unique device IDs and request packet headers. However, Kang acknowledges that the block is limited to the device or IP address, meaning a hacker can simply change his IP and try again.

Even if the file transfer is hacked, it is SSL-encrypted, so they might take “years” to crack, he says. But this only protects the file being transferred, not the service itself.

5_Screenshot

Kang adds that CEO Oh Yoon-sik is the team’s security specialist, based on his experience handling server operations as head of engineering at the Korean app software development company ESTsoft. The company also takes mentorship from veteran Google engineer Andy Warner on its advisory board for software security issues.

When theorizing about the 250,000 computers attacking at once, he says, “It’s hard to tell, but I think that will work,” but that this is a fundamental problem that all one-time password verification services face.

“Usually, it is a trade-off between security and convenience,” he adds. “At Send Anywhere, we currently take more care for convenience than security. We can easily increase the code complexity, but we believe that it might hurt the simplicity of user experience in the majority of cases.”

Albeit still with a relatively small user base, Send Anywhere says that no users have reported data loss or data theft. The only successful hack was when a Googlebot crawled into a file last year, not through the six-digit code, but through a short URL, which used to accompany the code as an alternative. It’s been done away with and there have been no other problems.

3_Screenshot

Waving the security flag

Like with the cloud, Send Anywhere acknowledges that everyday users might not fully understand the service, not only on security but also on data loss. Kang believes that small startups can’t handle public cloud services because of such issues, but that Send Anywhere’s concept is much smaller and more manageable.

Kang still sees the accidental data transfers through user error as very unlikely – and Jenik and Kang both believe attacks cannot be targeted, but random only. But he admits that as the user base grows, the team will inevitably have to make the simple code more complex. He does not specify a timeline or specific user number for when that change will be implemented, but the security team will monitor the situation.

“We believe that we are not perfectly secure, but we are secure enough to maintain this kind of simplicity for a service for now. And in the future we will split the user experience [so they can choose] simplicity and another way to ensure the security.”

4_Screenshot

Among the security updates being developed is a new way of verifying file transfers between familiar devices. It promises to be more convenient while also more secure, as it does away with inputting codes and specifies the recipient based on the unique device ID, Kang explains. The sender chooses a recipient from his friends list (users or devices he has already shared with) and the recipient accepts the transfer with the click of a button. A longer, more complex code is provided as backup.

Jenik notes that the problems are “much more grave” than what a typical OTP service faces – imagine if trying the wrong code to your storage locker would open someone else’s, he explains – but the startup should choose whether it wants to market security or convenience.

“I’m not picking on them – I’ve seen worse. But they should either not wave the security flag, since they’re not good at it, and choose a different flag to wave,” he suggests, “or they should take a local expert – there are many such people in Korea – to help them convert the service into a secure one. […] It seems not a lot of security thinking was done, so I’m sure a few tweaks can heighten security considerably.”

send anywhere send button

Created by Oh Yoon-sik (CEO), Kang Su-hyuk (CSO), Lee Kyung-ho (Android software engineer), and Park Hae-il (server software engineer) in July 2012, Send Anywhere topped 1 million monthly active users in August and aims for 10 million by the end of 2017.

While it currently has zero revenue, it plans to start monetizing in 2018 through business and API solutions, native ads, and freemium user subscriptions.

For now it is focused on ramping up traction by cross-promoting with various local content providers, and will seek another funding round by the end of this year.

This post This file sharing app is fast and convenient, but beware the trade-offs appeared first on Tech in Asia.