Why is My Secret Leaked? Discovering Vulnerabilities in Device-to-Device File Sharing

The number of active users of Wi-Fi Direct Device-to-Device file sharing applications on Android has exceeded 1.8 billion. Wi-Fi Direct, also known as Wi-Fi P2P, is commonly used for peer-to-peer, high-speed file transfer between mobile devices, as well as a close proximity connection mode for wireless cameras, network printers, TVs and other IoT and mobile devices. For its end users, such type of direct file transfer does not incur cellular data charges. However, despite the popularity of such applications, we observe that the software vendors tend to prioritize the ease of user flow over the security in their implementations, which leads to serious security flaws. We perform a comprehensive security analysis in the context of security and usability and report our findings in the form of 17 Common Vulnerabilities and Exposures (CVE) which have been disclosed to the corresponding vendors. To address the similar flaws at the early stage of the application design, we propose a joint consideration of security and usability for such applications and their protocols that can be visualized in form of a customised User Journey Map (UJM).