Xiaomi’s MIUI Caught With Major Security Flaws – Company Denies Allegations : Update – 12/08/2017

This could potentially affect millions of Xiaomi devices being used world-wide



Being among the top 5 smartphone manufacturers in the world, Xiaomi has come a long way. With millions of people using their devices, Xiaomi’s own customized MIUI runs on millions of devices. Now, it has been reported to have multiple security vulnerabilities.

Discovered by security firm eScan Antivirus, Xiaomi MIUI has been found with a number of security flaws.

1. Payment Information Leak

The first vulnerability has to do with the Mi Mover app. The app lets you transfer your settings and other data from your smartphone to any other device. But, the app ditches Android’s Sandbox Protection, when the transfer is being done between two Xiaomi phones. The app also carries over passwords and sensitive payment data.

How will this affect You?

Since the app is no longer functioning within Android’s Sandbox Protection, all your confidential bank and payment data lies vulnerable.

2. No Password Protection

To protect the information from being transferred, the device should need a password to authenticate the use of the Mi Mover app. But the research has observed that the app does not have any sort of password protection, when data is being transferred between any Xiaomi devices.

How will this affect You?

With lack of any password protection, anyone can transfer sensitive data from an unlocked Xiaomi device.

3. Cloning of Device

As there is no protection, this becomes a very serious issue. If someone gains access to your unlocked Xiaomi device, they can easily clone your system and be able to steal app data without any hassle. At the same time, since it is functioning out of Android’s Sandbox Protection, there is no fall-back protection in Xiaomi’s MIUI itself to protect the system.

How will this affect You?

If your device is stolen, or if someone gets access to your unlocked device, even for a few minutes, they can easily move your confidential data to a cloned device.

4. No Administrator Permission Needed to Wipe off Data

Another notable security vulnerability is with the in-built device administrator apps. Generally, the security apps on any Android device require Android’s administrator permission to wipe off data from the device. In MIUI, it doesn’t require any password.

How will affect You?

If your unlocked Xiaomi device ever falls in the wrong hands, they can easily steal your data, and wipe it all off at the same time, leaving no evidence behind.

Xiaomi Denies Allegations

Xiaomi has strongly disagreed with the report, saying they have ‘taken all the possible steps to ensure our devices and services adhere to our privacy policy’. Though, Xiaomi also has urged the users to use a PIN, pattern lock or a fingerprint lock to minimize the risk of someone getting into your device.

MIUI 9 Launching in China

Amidst all this, MIUI 9 is getting an official launch in China on 11th August 2017. Although the worldwide rollout of the international MIUI 9 version still doesn’t have a date, it is expected to be available to users by September 2017.

Update (12/08/2017)

After we ran this story, Xiaomi reached out with an official statement as follows;

“At Xiaomi, user privacy is of utmost importance.
Escan earlier today shared a report which list downs few concerns in MIUI. We strongly disagree with the allegations made by Escan in their report. As a global Internet company, Xiaomi takes all possible steps to ensure our devices and services adhere to our privacy policy.
Any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Further, as per the Escan report, a vendor’s Security Team replied, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.”

– Xiaomi spokesperson

Source Source

Leave A Reply

Your email address will not be published.

who's online