A new report by security firm eScan has claimed Xiaomi’s MIUI has multiple security vulnerabilities and flaws. The report says MIUI poses a significant threat for apps and user data on the phones. Xiaomi on its part has denied this is true and is disputing the eScan report. Interestingly the report doesn’t just stop at Xiaomi, but also blames app developers for ignoring security concerns.
According to eScan, there are some key problems with Xiaomi’s MIUI. For instance, the report says MIUI’s system app poses a threat to ‘Security app’s like anti-virus, etc, because when it comes to the un-installation, the system doesn’t ask for a password. The report says, “From a security point of view, the process of un-install implemented in MIUI poses a significant security threat since the authentication process implemented by the app is bypassed.” It also claims all security apps on Xiaomi phones are affected by this design flaw.
The report adds Xiaomi’s MIUI is not ideal of handling work-related profiles, and says that MIUI doesn’t “properly label” these. The report also raises security concerns over the Mi Mover app, which allows for complete data transfer from Xiaomi to Xiaomi smartphones, and also Xiaomi to other branded smartphones. According to the report, Mi Mover app copies all the data, including logged-in credentials for apps, which poses a significant security threat.
According to eScan, the problem is the Xiaomi Mi-Mover “can access App-System-Data which allows cloning of the End-User apps.” Even in the new Xiaomi phone, “all the applications allowed the user to log into the app and allowed access to all the history, wallets and conducted operations as if both the devices are same,” notes the report. IRCTC app was the only exception to this, and asked for registration again.
The point eScan is making is that on the new Xiaomi phone, apps have to ask for re-authentication, which doesn’t happen if these are being set-up via Mi Mover. It is also asking Xiaomi users not to enable the “Smart-Lock,” option which can automatically unlock devices.
But the report admits that in some cases the bugs are theoretical and that device would have to be stolen, along with the pin/password/pattern for the account to get accessed. It reads, “Facebook Theoretical bug, the end-user has to protect the phone from getting stolen and has to implement pattern/Passcode on the device.” eScan’s report adds in the end that Xiaomi will be “issuing a patch as per the schedule,” though the date is not confirmed. The report says “app developers are also equally responsible” for some of these flaws.
The statement adds, “Any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen. This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.”
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required. More importantly, in order to use Mi Mover, the smartphone has to be unlocked. Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Further, as per the Escan report, a vendor’s Security Team replied, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.”