A new research shows how Xiaomi users could be unknowingly exposed to multiple vulnerabilities.
India is the second biggest market for Xiaomi after China. According to a report by Canalys, brands such as Xiaomi, Oppo, Vivo, Gionee and Lenovo control over 50 percent of India’s smartphone market. Of that, Xiaomi alone has a 13 percent market-share in India, going by the number of devices shipped into the country, reports Counterpoint. Unfortunately, with that big number in hand, a new research has reported multiple flaws in Xiaomi’s MIUI system apps, that can cause unintentional vulnerabilities to the end user.
Uninstallation of apps without permission
To begin with, the first issue found on Xiaomi devices was that any administrator app on them can be uninstalled without revoking its device-admin rights. According to the research by eScan, MIUI’s system app, which handles the uninstallation of the apps, can pose a significant threat to security apps. The research observes that these apps at the time of uninstalling ask for a password on all the devices, although on MIUI, these apps get uninstalled without the need for a password. From a security point of view, the process of uninstalling implemented in MIUI, can be a potential threat, since the authentication process implemented by the app is bypassed.
UPDATE: To our query on the research, Xiaomi responded saying,
At Xiaomi, user privacy is of utmost importance.
Escan earlier today shared a report which list downs few concerns in MIUI. We strongly disagree with the allegations made by Escan in their report. As a global Internet company, Xiaomi takes all possible steps to ensure our devices and services adhere to our privacy policy.
Any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Further, as per the Escan report, a vendor’s Security Team replied, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.
End users always feel comfortable with the fact that their device is protected by an additional layer, and the very purpose of implementing this feature by security apps is defeated. The device owners of MIUI will now have to solely rely on the pattern/passcode lock provided by the MIUI, moreover, they will have to ensure that they do not enable Smart-Lock which is an inherent feature. The research found that all the security apps installed on MIUI were affected by this design flaw. ALSO READ: Smartphone business growing at over 100%: Amazon India
Mi Mover app
Xiaomi’s Mi Mover app, on the other hand, was found to override the application sandbox of the Android OS, thereby posing a significant threat to the installed apps. The app transfers all of the system data to the other Xiaomi Device. It is to be noted that this feature is 100 percent functional when both the devices are manufactured by Xiaomi.
In order to test the vulnerability, eScan conducted a backup and restore process on apps like WhatsApp, Telegram, JioMoney, and Paytm, among others, and found that the Mi Mover app poses significant threats to the installed apps. Although, Xiaomi alone cannot be held responsible, the app developers are also equally responsible for not taking into consideration that there existed a huge possibility of their application’s app-system-data getting cloned/copied. ALSO READ: India smartphone market may see strong pick up in Q3, 2017: Report
“This particular use-case existed since the day, devices started getting rooted and app-system-storage was compromised. It’s surprising that app developers never realized that the data which they are storing on app-system storage is vulnerable on rooted phones. Although Xiaomi’s Mi Mover allows the users to copy all their data, it goes one step ahead and copies from the app-system-storage areas too,” reads the report.
Cloned Xiaomi device affects the functional security controls related to factors governing access control mechanisms like identification, authentication, and authorization implemented by the Third Party Apps.
MIUI devices do not delete Work-Profile Admin app
According to Google, on Android 5.0 and above devices, users can delete their work profile from the phone settings. Once the profile is deleted, all local data on the device within that profile is deleted. Only the device policy controller application, and the Android device owner can delete the work profile and data. However, only the owner of the device can delete the personal data and perform a factory data reset. If a device is owned by your company or organization and configured with a device owner, the device owner can also perform a factory reset. ALSO READ: This cell phone draws power not from a battery, but thin air
But the research finds that, “MIUI inefficiently handles removal of workspace related to apps designed to facilitate Android for Works. Furthermore, due to the fact that in MIUI, the Workspace Profiles aren’t properly labeled, it becomes all the more difficult to differentiate between Personal and Work Profiles. Removing of Work-Profile Admin App has a negative impact on the functional working/implementation of Android For Works Apps and it defeats the very purpose of implementing Android for Works on Xiaomi Devices.”
BGR India has reached out to Xiaomi, but a response is still awaited.
How can users protect themselves?
eScan presents another line of argument to its own research, according to which physical access to the victim’s phone is required, to but the mentioned vulnerabilities to effect. Therefore, the onus of protecting your personal information now falls on the end user.
Xiaomi users must:
- Not to use Mi Mover to share apps, but should rely on other apps like ShareIT or Xender or any other file/app sharing applications.
- Not enable Smart-Lock, which is related to automatically unlocking your device.
- Update the patch, which will be made available by Xiaomi as per their release schedule.
- Validate the features of Security Apps and Android for Work Apps