A security company has claimed that Chinese smartphone maker Xiaomi has many vulnerabilities and flaws when it comes to security. MIUI, which is Xiaomi’s own interface which works on top of Android OS, poses a major threat to mobile applications and data of the user, according to the eScan report. While the report also blamed app developers for ignoring security issues, Xiaomi has denied and disputed the claim made by eScan. Meanwhile, according to the eScan report, there are a few important issues with Xiaomi MIUI. One of the bigger problems is that the MIUI system app does not ask for a password when a ‘Security app’ is uninstalled from the phone. eScan said, “From a security point of view, the process of un-install implemented in MIUI poses a significant security threat since the authentication process implemented by the app is bypassed.” The report said that all such types of apps are affected by this flaw in Xiaomi smartphones.
The report in eScan said that Xiaomi MIUI cannot handle work-related profiles ideally. It added that it cannot ‘properly label’ them. eScan also raised security concerns over the Mi Mover app. This app is used for data transfer from Xiaomi to Xiaomi smartphones, and also Xiaomi to other branded smartphones. Interestingly, the app copies every data including login credentials, the report claimed. The report said that the issue is that the Xiaomi Mi-Mover “can access App-System-Data which allows cloning of the End-User apps.” Even in the new Xiaomi phone, “all the applications allowed the user to log into the app and allowed access to all the history, wallets and conducted operations as if both the devices are same,” eScan said.
The point eScan is making is that on the new Xiaomi phone, apps have to ask for re-authentication, which doesn’t happen if these are being set-up via Mi Mover. Additionally, the report said that Xiaomi users should not enable the ‘Smart-Lock’ as it can automatically unlock devices. However, the report did say that in a few cases the bugs are theoretical and the phones will have to be stolen with passwords of the account if someone had to access. Meanwhile, Xiaomi said that Mi Mover has been designed to be a convenient tool for users to move data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required. More importantly, in order to use Mi Mover, the smartphone has to be unlocked. Thus, there are two layers of protection for the user.
The statement added, “Any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen. This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.”
The report concluded by saying, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.”