Path traversal in ZIP extract routine on LINE Android

@kanytu discovered that LINE Keep(a file storage service in the LINE App) contains an unsafe unzipping pattern, which can potentially be exploited to launch Path traversal attack. The reporter proved that it can lead to overwriting files in the LINE app's private folders under certain conditions by providing a PoC Android application and clear explanations. Additionally, there was an issue of LINE storing data in external storage, which was a known issue prior to reporting and had been fixed. The complete chain looks like this: Pre-conditions: LINE for Android provisioned with a valid account LINE for Chrome installed and configured with the same account as the device "Do not keep activities" setting has to be disabled A malicious Android application must be pre-installed on the victim's device and STORAGE permission is required. Steps to reproduce: In LINE for Chrome, create a new Memo and add some text to it. Install the PoC Android application on the victim's device and grant STORAGE permission when requested Open LINE for Android and go to the "keep" account. You can see the new note there, as a ZIP file. If not, pull to refresh. At this point, the PoC application tries to replace the original Memo file with a malicious ZIP file which contains an entry containing path traversal characters (“../”) in its name (e.g. `../../../../../../../data/data/jp.naver.line.android/files/something`) Tap your ZIP note and tap on it again to open the contents of the ZIP file The LINE app will crash as part of a "SecurityException," but at this point, the files in the LINE app's private folders have already been overwritten.