Major Security Flaw Found in MIUI: Third Party Security Apps Can be Uninstalled Easily

The fast expanding world of Internet is marred by numerous security vulnerabilities arising out and India-based eScan Antivirus has released a report suggesting multiple security flaws found on Xiaomi devices running MIUI operating system.

With a 13 percent market share, Xiaomi is currently one of the leading smartphone brands in India, which is the second largest smartphone market in the world, just after China.

The research by eScan points out multiple flaws in the MIUI OS which is capable of introducing vulnerabilities into end-user as well as security apps.

“MIUI’s system app which handles the un-installation of the apps poses a significant threat to Security apps. It has been observed that these apps at the time of un-install would ask for a password on all the other devices, although on MIUI, these apps get un-installed without the need for a password,” the researchers noted.

Another important security flaw noted by the researchers was that the Mi Mover app doesn’t require a password when transferring data from one device to the other.

“From a security point of view, the process of un-install implemented in MIUI poses a significant security threat since the authentication process implemented by the app is bypassed,” they added.

Security Issues Found by eScan

Researchers at eScan found the following issues with Xiaomi’s MIUI operating system.

  • MI-Mover App overrides the application sandbox of the Android OS
  • Any device-administrator app can be uninstalled without revoking its device-admin rights
  • Xiaomi with MI-Mover can be cloned in few minutes without needing to root the device
  • MIUI devices rather than deleting, hides the Work-Profile Admin app
  •  Workspace profiles cannot be differentiated from the personal profile posing a serious challenge from the security point of view in Enterprise Mobility Management

GT Tested the Security Vulnerability too

Out of all of these issues, the most pressing and widespread issues are the vulnerabilities attacking security apps and another one related to Mi Mover.

Talking to GuidingTech, Xiaomi spokesperson consistently stressed on the fact that the device’s pin/pattern/fingerprint scanner is the first barrier of unwanted entry and to exploit any of the vulnerabilities mentioned in the research, this security barrier has to be broken.

Security App Test

First, we tested the security vulnerability which states that any app which has device administrator permission can be deleted without revoking those rights.

Per se, we installed Cerberus Anti-theft app on our Xiaomi Mi Max 2 device and non-Xiaomi devices (to act as a control). When uninstalling the Cerebrus app on the OnePlus 5 and Samsung Galaxy J7 Max (both running on Android 7) device, the phone asks for the system password as well as the Cerberus app password.

But when we tried uninstalling Cerberus from the Mi Max 2 device, the app simply got uninstalled without asking for any additional inputs — read password.

Mi Mover Test

In their statement to GuidingTech, Xiaomi spokesperson mentioned that a password is required in order to use Mi Mover on the device.

So we found two Xiaomi devices — Mi Max 2 and Redmi 4A –, put fingerprint and pattern locks on them and checked out the Mi Mover feature. To our surprise (or not!) the Mi Mover app didn’t ask for any password whatsoever.

It just asked us who’s going to send the data, who’s going to receive it and what all system or app data needs to be sent. And Voila! The data transfer started without the need for any password input either before or after the Mi Mover app completed transferring the data.

This vulnerability is critical too as anyone who gains access to your unlocked Xiaomi device can easily clone all the contents of the device, including system and app data in a jiffy.

Xiaomi has been focussing on the fact that the first security layer is locking the phone but even on an unlocked phone, there are other Android guidelines that need to be put in place to avoid further damage — such a 2FA and app-specific passwords.

What Xiaomi Says

Here is the complete statement of Xiaomi:

Escan earlier today shared a report which lists downs few concerns in MIUI. We strongly disagree with the allegations made by Escan in their report. As a global Internet company, Xiaomi takes all possible steps to ensure our devices and services adhere to our privacy policy.

Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.

This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.

Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.

More importantly, in order to use Mi Mover, the smartphone has to be unlocked.

Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.

Prayank

By

See more posts by this author.

Show CommentsHide Comments