A couple of days ago, out of the blue, Google released an open-source Samba client for Android, bringing users the convenience of being able to easily mount and access files over a network using the SMB protocol.
In its description, Google states that the app is a “direct port of the Samba client,” and thus supports its entire feature set. Unfortunately, Google fails to mention that the app only supports the extremely vulnerable SMBv1 networking protocol.
As tested by Android Police’s Corbin Davenport, the app simply refuses to connect if a Samba share has SMBv1 disabled.
“Linux users are not perfectly safe using this client, as the SMB1 client does not provide sufficient MitM protections unless carefully configured with UNC hardening (a feature likely not available or possible here, since this phone likely cannot use Kerberos, join active directory domains, and there isn't an obvious way I see to configure signing). I would not recommend using any SMB client from any vendor that only supports SMB1.”
The ‘WannaCry’ ransomware that propagated through networks in over 70 countries a couple of months ago abused the SMBv1 protocol; this was followed by Petya/NotPetya ransomware just last week, which brought several organizations in Ukraine and the rest of Europe to a halt.
SMBv2 and SMBv3 versions of the protocol do not share these same vulnerabilities and offer quite a few extra (and perhaps necessary) security features as well.
While Google has been quite enthusiastic about pointing out “crazy bad” flaws and vulnerabilities in software other than its own, it seems that the company has neglected its own software. This comes at a time when organizations are moving away from SMBv1, with Microsoft going as far as creating a list of old and new software that still relies on the vulnerable protocol.