Researchers Find Multiple Security Flaws in MIUI

Researchers Find Multiple Security Flaws in MIUI

Google works to keep the AOSP as secure as possible and does so by working with the community to find and report as many vulnerabilities as possible. While this secures Android at the base level, various smartphone OEMs choose to change the code so they can add in some software features to their OEM ROM. We see companies like LG and Samsung include their own security patches on top of Google’s, but this isn’t something we hear about much from Xiaomi and MIUI.

Researchers from eScan recently got their hands on some Xiaomi devices with MIUI installed and did some analysis. It should be noted that Xiaomi is a big smartphone OEM with their devices being among the most popular in a number of countries around the world. So when we heard that researchers were able to find multiple security flaws within the platform, it’s something that definitely piqued our attention.

Researchers at eScan highlighted 5 different flaws they were able to find in MIUI. This starts off with the Mi-Mover application being able to override the application sandbox that is put in place by the Android OS. Another one includes the ability for any application with device administrator rights to be uninstalled without first revoking its device-admin rights. Xiaomi with MI-Mover can be cloned in few minutes without needing to root the device and this makes the first flaw even more interesting.

Instead of deleting the Work-Profile Admin app like some OEMs do, Xiaomi has decided to simply hide it on MIUI devices. Lastly, researchers at eScan discovered that workspace profiles cannot be differentiated from the personal profile. The team says this poses a serious challenge from the security point of view in Enterprise Mobility Management. Xiaomi disputes this report and released this statement regarding the matter:

Here is the complete statement of Xiaomi:

Escan earlier today shared a report which lists downs few concerns in MIUI. We strongly disagree with the allegations made by Escan in their report. As a global Internet company, Xiaomi takes all possible steps to ensure our devices and services adhere to our privacy policy.

Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.

This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.

Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.

More importantly, in order to use Mi Mover, the smartphone has to be unlocked.

Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.

Via: Guiding Tech Source: eScan PDF

About author

Doug Lynch
Doug Lynch

When I am passionate about something, I go all in and thrive on having my finger on the pulse of what is happening in that industry. This has transitioned over the years from PCs and video games, but for close to a decade now all of my attention has gone toward smartphones and Android.