Security

    Android Security Risks: OWASP Zip Slip Path Traversal (Guide)

    A malicious archive entry using parent-directory sequences to escape an Android app's extraction directory and overwrite a file in its private storage.

    Zip Slip is a path traversal vulnerability that occurs when an app extracts an archive, such as a zip or tar file, and trusts the file paths inside it, so a malicious archive entry whose name contains parent-directory sequences can escape the intended extraction folder and write a file somewhere else. In an Android app that unpacks archives, this can overwrite files in the app's private storage, corrupting its data or configuration, or in some designs replacing code or resources the app loads, which turns a simple extraction into a way to tamper with the app. The fix is to validate that each extracted entry's resolved, canonical path stays inside the target directory before writing it, and to reject any entry that would escape. Static analysis scanners can flag unsafe extraction automatically, which is the fastest way to find it across a codebase.

    Short answer

    Zip Slip lets a crafted archive write files outside the extraction directory because the app trusts the archive's paths. Per the OWASP MASVS, apps must handle file paths and untrusted input safely, and archive extraction that does not validate entry paths violates that. The exploit works when a malicious entry name includes parent-directory sequences that escape the target folder, so the fix is to resolve each entry's canonical path and confirm it stays within the intended directory before writing, per Android's data storage guidance. Test it only on your own app with a crafted archive in isolation, and use a scanner such as MobSF or a build scanner to detect unsafe extraction automatically.

    What Zip Slip path traversal is

    Zip Slip is a specific form of path traversal, the class of vulnerability where untrusted input controls a file path and reaches outside the location it should be confined to. In Zip Slip, the untrusted input is the file names stored inside an archive. When an app extracts an archive, it reads each entry's name and writes the entry's contents to a path built from that name inside a target directory. If the app trusts the entry name and it contains parent-directory sequences, the resulting path can point outside the target directory, so the file is written somewhere the app did not intend.

    The vulnerability is in the extraction code, not the archive format itself, because archives can legitimately contain any path, and it is the app's responsibility to refuse dangerous ones. So a Zip Slip issue exists whenever an app unpacks an archive without checking that each extracted file lands inside the intended folder.

    How archive extraction is exploited in an app

    Archive extraction is exploited by crafting an archive whose entry names are designed to escape the target directory, so understanding the mechanism helps you defend against it without needing a payload. An attacker creates an archive containing an entry whose name uses parent-directory sequences to point outside the folder the app extracts into, and when the app extracts it and writes that entry using the untrusted name, the file lands at the attacker-chosen location rather than inside the target. The attacker controls both the destination and the contents of that written file.

    The impact depends on what the app extracts and where. If your app downloads or receives an archive from an untrusted source and unpacks it, an attacker who can supply a malicious archive can write files into your app's storage outside the extraction directory, overwriting existing files. Depending on the app's design, that can corrupt saved data or configuration, replace files the app reads at runtime, or, in the worst cases where the app loads code or resources from a writable location, influence what the app runs.

    Android file permissions and why it matters

    On Android, the app sandbox and its private storage are what make a Zip Slip write consequential, so the file permission structure matters to the impact. Each app has a private data directory that only that app can access, containing its databases, shared preferences, and files, and an Android app typically extracts archives into a subdirectory of that private storage. Because the app itself has full read and write access to its own private directory, a Zip Slip write escaping the extraction subfolder can reach other files in the app's private storage, the very data the sandbox is meant to protect from other apps but not from a bug in this app.

    This is why the sandbox does not save you from Zip Slip. The sandbox isolates your app's data from other apps, but a path traversal within your own app writes as your app, so it can overwrite your own sensitive files, config, or cached content, all of which the app is permitted to modify. Understanding the file permission structure clarifies the risk: the danger is not writing to another app's data, which the sandbox blocks, but writing to your own app's protected files in ways you did not intend, which the sandbox permits because the write comes from your app. Confining extraction to a validated path is what keeps writes where they belong.

    The fix: validate the canonical path

    The fix for Zip Slip is to validate each extracted entry's path before writing it, ensuring it resolves to a location inside the intended target directory. For every entry, build the destination path from the target directory and the entry name, then resolve it to its canonical form, which collapses any parent-directory sequences, and check that this canonical path still begins with the canonical path of the target directory. If it does, the file is safe to write; if it does not, the entry is trying to escape and you reject it rather than writing it.

    This canonical-path check is the standard defense, and it neutralizes the parent-directory trick because resolving the path exposes where it actually points, regardless of how the entry name is constructed. Prefer a well-maintained extraction library that performs this validation for you, since reimplementing extraction is where the vulnerability creeps in, and confirm that the library actually guards against traversal rather than assuming it does. Extract into an isolated directory, validate every entry, and refuse anything that resolves outside it, and Zip Slip is closed.

    Testing your own app safely

    Testing whether your app is vulnerable is a legitimate exercise you do only against your own app, in an isolated environment. Create a test archive containing an entry whose name would escape the extraction directory, then have your own app extract it on a device or emulator you control that holds no real data, and observe whether the file lands outside the target folder or is correctly rejected. If it escapes, your extraction code is vulnerable and needs the canonical-path validation; if it is rejected, your defense works.

    Keep the exercise bounded and constructive. Only test applications you have the right to test, use a disposable environment so a successful write does not damage anything real, and use the result to fix the extraction code rather than to attack anything.

    Tools to spot path traversal automatically

    Because Zip Slip follows a recognizable code pattern, static analysis tools can flag it automatically, which is the fastest way to find it across an app. A mobile static analysis tool inspects your app's code for unsafe patterns, including archive extraction that writes entries without validating their paths, and reports the location so you can review and fix it. Running such a scan over your build surfaces the issue without you having to read every extraction call by hand, which is valuable in a large codebase or one with third-party libraries.

    The open-source MobSF performs this kind of static analysis, and build scanners that map findings to security standards can flag insecure file handling and path traversal patterns as well. Automated detection is a first pass rather than a complete guarantee, since a scanner may not follow every code path and a manual review of your extraction logic is still worthwhile, but it reliably catches the common naive-extraction pattern that causes Zip Slip. So combine an automated scan to find candidates quickly with a manual check of your extraction code and the canonical-path fix to close them.

    Vulnerable versus safe extraction

    Comparing the two clarifies what changes. The table below sets them side by side.

    AspectVulnerable extractionSafe extraction
    Entry path handlingTrusts the archive's entry nameResolves and validates the canonical path
    Parent-directory sequencesFollowed, escaping the targetRejected before writing
    ResultWrites files outside the target directoryEvery file stays inside the target
    DetectionMissed without reviewFlagged by a static analysis scanner

    Read the table by the entry-path row: trusting the archive's path is the root of Zip Slip, and validating the resolved canonical path is what fixes it.

    Remediation checklist

    Working through these steps closes a Zip Slip vulnerability. The checklist below covers them.

    StepActionDone?
    Validate the canonical pathConfirm each entry resolves inside the target directory[ ]
    Reject traversal entriesRefuse any name that escapes the folder[ ]
    Use a safe libraryPrefer extraction code that guards against traversal[ ]
    Isolate the extractionExtract into a dedicated, isolated directory[ ]
    Scan the buildDetect unsafe extraction automatically[ ]
    Test on your own appVerify with a crafted archive in isolation[ ]

    The step that closes the vulnerability is validating the canonical path, since it neutralizes the escape regardless of how the malicious entry name is built.

    Scan your app for unsafe extraction

    Because Zip Slip hides in a common extraction pattern that is easy to miss by eye, especially in third-party code, scanning your build is the reliable way to find it across the app rather than one call at a time.

    A scanner like PTKD.com analyzes your build and reports issues such as insecure file handling, path traversal patterns, and other weaknesses by severity, mapped to OWASP MASVS, so unsafe archive extraction is flagged for you to fix. To be clear about the boundary: PTKD does not patch your extraction code or run a live exploit; it identifies the pattern and the location. It gives you a fast, standard-aligned way to spot path traversal automatically, which you then close with the canonical-path validation in your own code.

    What to take away

    • Zip Slip is a path traversal vulnerability where an app trusts the file names in an archive, so a malicious entry with parent-directory sequences escapes the extraction directory and writes elsewhere.
    • In an Android app, an escaped write reaches other files in the app's private storage, because the write happens as your app, which the sandbox permits, so the sandbox does not protect you.
    • The exploit works by crafting an archive whose entry name points outside the target folder, turning extraction into a controlled file write.
    • Fix it by resolving each entry's canonical path and confirming it stays inside the target directory before writing, rejecting anything that escapes, and prefer a library that does this.
    • Detect it automatically with a static analysis tool like MobSF or a build scanner such as PTKD.com, and test your own app with a crafted archive in isolation.
    • #zip slip
    • #path traversal
    • #android
    • #archive extraction
    • #owasp masvs

    Frequently asked questions

    What is Zip Slip path traversal?
    It is a form of path traversal where the untrusted input is the file names inside an archive. When an app extracts an archive, it writes each entry's contents to a path built from that entry's name inside a target directory, and if the app trusts a name that contains parent-directory sequences, the resulting path points outside the target, so the file is written where the app did not intend. The bug is in the extraction code, not the archive format, since the app must refuse dangerous paths.
    How is archive extraction exploited in an app?
    An attacker crafts an archive whose entry names use parent-directory sequences to escape the folder the app extracts into, and when the app writes that entry using the untrusted name, the file lands at the attacker-chosen location with attacker-controlled contents. If your app unpacks an archive from an untrusted source, this lets an attacker overwrite files in your storage outside the extraction directory, corrupting data or config, or influencing what the app runs if it loads from a writable location.
    Why does Android's sandbox not protect against it?
    Because the traversal writes as your own app. The sandbox isolates your app's private data from other apps, but a Zip Slip write escaping the extraction subfolder reaches other files in your app's private storage, which your app is permitted to modify. So the danger is not writing to another app's data, which the sandbox blocks, but overwriting your own protected files in unintended ways, which the sandbox permits because the write comes from your app. Confining extraction to a validated path is the safeguard.
    How do I fix Zip Slip in my app?
    Validate each extracted entry's path before writing. Build the destination from the target directory and the entry name, resolve it to its canonical form, which collapses parent-directory sequences, and confirm the canonical path still begins with the canonical path of the target directory. Write the file only if it does; reject the entry if it escapes. Prefer a well-maintained extraction library that performs this validation, extract into an isolated directory, and confirm the library actually guards against traversal.
    What tools spot path traversal automatically?
    Static analysis tools flag the recognizable Zip Slip code pattern automatically. A mobile static analysis tool inspects your code for archive extraction that writes entries without validating paths and reports the location, which is faster than reading every extraction call. The open-source MobSF performs this analysis, and build scanners that map findings to security standards flag insecure file handling too. Automated detection is a first pass, so pair it with a manual review of your extraction logic.
    How do I test my own app for Zip Slip?
    Only against your own app, in isolation. Create a test archive containing an entry whose name would escape the extraction directory, have your app extract it on a device or emulator holding no real data, and observe whether the file lands outside the target folder or is rejected. If it escapes, add the canonical-path validation; if rejected, your defense works. A scanner like PTKD.com (https://ptkd.com) flags the unsafe pattern so you know where to look.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free