eScan, a security company that focuses on providing Enterprise Security has issued a new report highlighting many security flaws in the MIUI operating system. To be clear, the report points out at flaws and ‘un-intentional vulnerabilities’ in the user apps and other security apps. According to the report, MIUI system apps are responsible for the vulnerabilities. The major points highlighted in the report state that the 13 percent of smartphone users in India with Xiaomi smartphones are at ‘a significant threat’ because of the ‘laxity’ that ‘MIUI OS has about security.’
The company issued a warning to Xiaomi users stating that the operating system has ‘multiple security lapses’ ‘by design’. This means that users can’t do much about the issues as Xiaomi has designed the operating system in such a way. eScan highlighted ‘Mi Mover’ app as one of the main culprits which overrides the internal sandbox that Android operating system employs to ensure the security of data. Mi Mover app is a system app that Xiaomi bundles with MIUI to help users migrate their user data from an older device to a new device.
According to the report, any ‘device-administrator app’ can be uninstalled without the need to revoke its device-admin rights. ‘Device administrator apps’ are special apps that add an additional level of security to prevent removal. Security scanner apps employ this to ensure that rogue apps, malicious scripts or viruses don’t uninstall them from the device. The report also points that Mi Mover app can clone a Xiaomi smartphone in few minutes without the need to root your smartphone.
Other issues pointed in the report state that MIUI hides the ‘Work-Profile’ Admin app and it is not possible to differentiate between Workspace profiles and personal profile making it difficult for network administrators in the enterprise setting to check which profile they are remotely removing as part of the Enterprise Mobility Management. This also poses security challenge as if the network administrator wants to remove the ‘Work-Profile’ and accidentally removes the ‘Personal-Profile’. In addition to the difficulty in distinguishing, it is not easy to remove the ‘Work-Profile; in the first place. The report was compiled by Sachin Raste, a senior research analyst working with eScan.
We reached out to Xiaomi for a comment on the accusations and Xiaomi provided an official statement regarding the issues pointed by eScan. Xiaomi emphasised that ‘user privacy’ is of utmost importance for the company. The smartphone maker stated that it strongly disagrees with the allegations made by eScan. It pointed out that eScan report assumes that you would need an unlocked device without any password, PIN, pattern or fingerprint security enabled.
The company stated that anyone who can get their hands on an unlocked smartphone can wreak havoc and cause irreversible damage to the owner of the smartphone with all the data available on the smartphone. Xiaomi stated that it encourages users to set a password, PIN, pattern lock or enable the fingerprint to unlock the smartphone. This ensures that all the private data is secure on the smartphone unless the person with malicious intent gets his/her hands on the PIN, password or pattern.
Addressing the concerns associated with Mi Mover app, Xiaomi pointed out that this tool is made to make it convenient for users to switch from old smartphone to a new one. It also pointed out that the users require a password for Mi Mover to initiate the process. To use the Mi Mover app, the users need to unlock their smartphones. Which means that using Mi Mover app requires two separate layers of security protection.
A spokesperson from Xiaomi pointed out that taking a smartphone in an unlocked state is a ‘very high barrier’ and unlikely to happen in day-to-day life. This makes the type of attacks mentioned her as theoretical at best. Xiaomi pointed out that to stop your private data from leaking, users should ensure that they don’t lose their smartphone or give away the unlock PIN, password or pattern to anyone else.
Published Date: Aug 11, 2017 23:55 PM | Updated Date: Aug 11, 2017 23:58 PM