CVE-2018-11544 in Olive Tree Ftp Server App
Summary
by MITRE
The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/12/2025
The vulnerability identified as CVE-2018-11544 represents a critical insecure data storage issue within the Olive Tree FTP Server application version 1.32 for Android platforms. This flaw resides in the application's handling of authentication credentials, specifically storing sensitive user information in an unencrypted format within the device's local storage system. The vulnerability manifests through the persistence of username and password credentials in the Android application's shared preferences file located at /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml, where the credentials are stored as plain text values under the prefUsername and prefUserpass string parameters. This insecure storage mechanism directly violates fundamental security principles and creates a significant attack surface for malicious actors who gain access to the device or can extract the application's data files.
The technical implementation of this vulnerability stems from the application's failure to implement proper cryptographic protection for sensitive data at rest. According to CWE-312, this represents a weakness where sensitive data is stored in a manner that makes it easily accessible to unauthorized parties. The Android operating system provides robust security mechanisms for protecting sensitive information through the use of encryption, secure key stores, and proper access controls, yet the Olive Tree FTP Server application bypasses these protections entirely. The vulnerability occurs at the application level where developers have chosen to store credentials in the default shared preferences mechanism without implementing additional security measures such as encryption, obfuscation, or secure storage APIs. This design flaw allows any process running with the same user privileges to access the credentials, potentially including malicious applications or attackers who have gained access to the device through various exploitation vectors.
The operational impact of this vulnerability extends beyond simple credential exposure, creating cascading security risks for users who may rely on the application for file transfer operations. When credentials are stored in plain text within the application's data directory, they become immediately accessible to any attacker who can execute code on the device or gain file system access. This vulnerability is particularly concerning because it affects mobile devices where physical security may be compromised through theft, loss, or unauthorized access. The exposure of FTP credentials can lead to unauthorized access to file servers, potential data breaches, and compromise of sensitive information stored on remote servers. Attackers can leverage this vulnerability to perform lateral movement within networks, escalate privileges, or conduct further reconnaissance activities. The vulnerability also aligns with ATT&CK technique T1552.001, which covers "Unsecured Credentials" and represents a common vector for credential theft in mobile environments where applications fail to properly protect sensitive information.
Mitigation strategies for this vulnerability require immediate attention from both application developers and end users. Developers must implement proper cryptographic protection for stored credentials, utilizing Android's Keystore system or other secure storage mechanisms that provide hardware-backed encryption. The application should employ strong encryption algorithms such as AES-256 to protect sensitive data at rest, and implement proper access controls that limit which processes can access the credential storage. Additionally, developers should consider implementing credential rotation mechanisms and avoiding the storage of authentication information whenever possible. From a user perspective, individuals should be advised to avoid using applications with known insecure data storage practices and to regularly review application permissions. Organizations implementing mobile device management policies should include specific controls to identify and remediate applications with insecure credential storage practices. The vulnerability also highlights the importance of proper security code reviews and adherence to mobile security best practices such as those outlined in the OWASP Mobile Security Project, which emphasizes the need for secure data handling and storage in mobile applications.