Zepp Health
Apps can read and modify files outside the app directory #197
sk1nzz
started this conversation in
Developer Feedback
Replies: 1 comment 1 reply
-
|
@sk1nzz Zepp OS 1.0 has this bug. But Zepp OS 2.0 and 3.0 has fixed this bug. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
But a read-only access still remains, right? I can read sysprop_default file on my Zepp OS 2.0 watch using my app. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Zepp OS API allows apps to access the file system. According to docs, apps can only access their data and assets directories. But if I pass a path argument with
../, I can access files outside the app directory.For example, I can access the system settings file with
So the API allows me to edit and even delete system files, which might brick the watch.
Is this a security issue? In a good way, 3rd party apps should be isolated from each other and FS API should be restricted to the app folder.
Beta Was this translation helpful? Give feedback.
All reactions