Security solutions company eScan on Thursday in a 36-page report alleged that Xiaomi’s MIUI custom Android ROM has multiple flaws that affected the security of user data. Xiaomi system apps such as the uninstall mechanism and Mi Mover were some of the flawed aspects of MIUI, the report stated. The Chinese smartphone company has refuted the allegations however, in a statement to Gadgets 360.
A Xiaomi spokesperson in an emailed statement told Gadgets 360 that all of eScan’s data security concerns are valid only if a perpetrator gains physical access to an unlocked smartphone. Such a scenario already places user data at great risk, and Xiaomi also pointed to the addition of login layers that have been introduced in the user data migration app Mi Mover, as well as its recommendations for users to utilise a lockscreen security feature such as PINs, pattern locks, and the fingerprint sensor.
In its report, eScan claims “Xiaomi’s system apps have unknowingly introduced multiple flaws into the functional working of most of the apps. The functional aspects of Anti-Theft security apps and Android for Work apps are affected by the uninstall procedure implemented by Xiaomi. Furthermore, the MI-Mover app which assists in user data migration also poses significant threats to the installed apps. Although, Xiaomi alone cannot be held responsible; the app developers are also equally responsible for not taking into consideration that there existed a huge possibility of their application’s app-system-data getting cloned/ copied. This particular use-case existed since the day devices started getting rooted and app-system-storage was compromised. It’s surprising that app developers never realized that the data which they are storing on app-system-storage is vulnerable on rooted phones. Although Xiaomi’s MI Mover allows the users to copy all their data, it goes one step ahead and copies from the app-system-storage areas too.”
The eScan report claims that the “uninstallation procedure implemented by Security Apps is adversely affected on Xiaomi Devices,” and “apps based on the guidelines provided for implementing Android for Works are affected by the improper implementation of uninstallation procedure implemented on Xiaomi devices.”
In the research, eScan found the following security loopholes that need to be addressed:
1. MI-Mover App overrides the application sandbox of the Android OS
2. Any device-administrator app can be uninstalled without revoking its device-admin rights
3. Unlike other smartphones, Xiaomi with MI-Mover can be cloned in few minutes without needing to root the device
4. MIUI devices rather than deleting, hides the Work-Profile Admin app
5. Not easy to delete the Work-Profile
6. Workspace profiles cannot be differentiated from the personal profile posing a serious challenge from the security point of view in Enterprise Mobility Management
eScan admits that physical access of an unlocked device is required for its concerns to apply, but then asks what precautions do Xiaomi device users have to take into consideration when handing their devices over to service centre employees, and with anti-theft security mechanisms affected, questions how Xiaomi users would ensure their device doesn’t get stolen.
The Xiaomi spokesperson’s full statement can be read below.
At Xiaomi, user privacy is of utmost importance.
Any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Further, as per the Escan report, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.