goodreader – Jason Griffey

Quick Office, not Goodreader

After some prodding from Glenn in the comments of my post on Goodreader and the iPad, it turns out that the security culprit doesn’t look like it’s Goodreader at all. It’s the Port 4242 that gave it away, and much thanks to Glenn for pointing it out…I was too concerned with publishing fast, and didn’t follow up the details as well as I should have.

It looks like Goodreader lets you SEE any shared iPad on wifi, but it doesn’t share openly in the way that I described. The bad guy here appears to be QuickOffice, which DOES use port 4242 and share files by default across a shared wifi LAN. I could see in Goodreader the files that someone else had on their iPad in QuickOffice…not the normal set of events for the iOS devices, as the file systems are normally sandboxed to not allow that to happen.

So: revised security alert! If you use QuickOffice on your iOS device (iPhone, iTouch, iPad) please ensure that you have sharing off by default, so that others aren’t able to see your stuff at all.

Goodreader & the iPad

EDIT: please check out my new post, with the real problem identified. This post contains old information that is not correct!

Goodreader is by far the best interface and app for handling different filetypes on the iPad…PDFs, doc files, images, etc. But this morning at the ALA Annual conference I discovered one really scary security issue with it. By default, Goodreader doesn’t require authentication or any warning to connect via Bonjour, and it allows you to browse AND DOWNLOAD any files that are so shared. Sitting in the Conference Center lobby, I was able to connect to two different iPads, view and grab files arbitrarilly, and push files TO the iPads as well.

This is INCREDIBLY SCARY. In the first 2 minutes, I saw files that had credit card information, passwords, bank account information, and more.

If you are using Goodreader and are connected to any public wifi point, make sure that you have gone into Settings, Other Settings, and make sure that Ask Permission Before Connecting is ON.