Security firm discovers several major flaws in MIUI

[The Sloth]

what happened? 

 

"The first problem relates to the Mi-Mover app, which allows you to transfer apps and some settings from any Android device (running 4.2 or higher) to a Xiaomi phone. This is a pretty common feature, even on Nexus and Pixel phones. However, if both devices are running MIUI, Mi-Mover will copy all system data to the new phone. This includes confidential information, like saved payment information, overriding Android's built-in sandbox protection in the process. Some applications are unaffected, like ones check the device or require a PIN at launch, but many popular apps like Twitter and Airbnb don't check the device. So if someone had access to a Xiaomi phone, they could copy all of a user's information without much effort" 

 

"Another flaw was found in how MIUI handles device-administrator apps. As you may know, many security/anti-theft apps (like Android Device Manager) can use Android's administrator permission to wipe the device. Uninstalling these apps usually requires the user's password, but eScan discovered that no prompt was given when deleting an administrator app. Theoretically, someone could steal a Xiaomi phone and quickly delete any anti-theft apps before the owner had the chance to use them." 

 

 

Xiaomi response 

 

 

TLDR-  Xiomi Mi-Mover app can be easily used to copy user data, like saved payment information, overriding Android's built-in sandbox protection in the process, another issue was how someone with a stolen xiimi phone could uninstall device administrator giving them acess because of how MIUI handles device-administrator apps, so a thief can delete a anti theft app after obtaining the stolen phone before owner can activate any antitheft measure. 

 

"Uninstalling these apps usually requires the user's password, but eScan discovered that no prompt was given when deleting an administrator app." 

 

what do you guys think? i think a simple software update can fix the issues but not sure if that will happen. 

 

-http://www.androidpolice.com/2017/08/10/security-firm-discovers-several-major-flaws-miui/ 

[DocSwag]

Stock Android Lyfe

[potoooooooo]

11 minutes ago, Kumaresh said:

If they could demonstrate such security loopholes live on a locked phone, that would give cause for alarm..... And just when I purchased a new Mi Max 2......

Such a good phone.

 

I'm lusting over that huge screen

[Guest]

Not trying to hate on something (Xiaomi smartphones) i never used, and that i personally dont plan to use, but the company answer is so trivial and uninspiring...

 

Like said above, a demonstration would be nice to see.

[Pesmerga]

I have a redmi 4 pro, doesn't affect me much but I hope it will get patched soon.

[BachChain]

Security issues in a proprietary OEM utility? Say it ain't so.

[SpaceGhostC2C]

17 hours ago, nerdslayer1 said:

what do you guys think? i think a simple software update can fix the issues but not sure if that will happen. 

Reading Xiaomi's response, I would say:

1) it won't happen

2) it's not needed

 

At least regarding MI Mover, which is what Xiamoi response was about. It's working as intended, the original complain is the equivalent of saying that there is a flaw in any OS because having administrator rights give you administrator rights - imagine if someone logged in as administrator to your device!  

 

The second claim is the only potential problem here, but unfortunately we don't have any response from the company about them. I don't particularly care because I don't install that type of apps anyway, but those who do certainly don't want for anyone to uninstall them. Although, again, if they require unlocking the phone as administrator, then what else can you do (other than having them as uninstallable "system apps", as is common in Android OEM bloatware)?.