Xiaomi is a clear winner in the budget mobile market, but they may be failing in security standards. A recent research by security experts at eScan shows that your Mi phone is vulnerable to data and identity theft. Let’s comprehend the research and see how MIUI allows a breach to your privacy.

Research Findings

Sachin Raste, a research analyst, at eScan says that Xiaomi’s MIUI has unintentional flaws. He conducted a series of security tests under various scenarios and came up with the following conclusions.

  • MIUI uninstall mechanism overrides every security app.
  • MIUI inefficiency handles workspace designed for Android for works.
  • Mi Mover app allows transfer of system data and cache.

MIUI uninstall lets you remove even a security app(anti-theft) that has administrative privileges. In a usual scenario, the app’s privileges must be revoked and a pattern or PIN is required for uninstallation, but MIUI uninstall renders them useless. So any person who gets physical access to your unlocked device can remove the security apps in a jiffy.

Multiple Security Flaws In Xiaomi's MIUI OS Allows Data and Identity Theft

The MIUI also inefficiently handles the workspace of ‘Android for Works’ and the work profiles labelling isn’t proper. This renders the sole purpose of Android for Work designed for Enterprise Mobility Management futile.

Mi Mover, the app which was made to help users to migrate from devices, may help a thief steal your data and identity. The app can send system files, app caches and data to a new device easily. This makes device cloning easier for end users, but the app sessions also remain logged-in in most cases.

List of Apps Tested

Here is a non exhaustive list of apps used by eScan for the research most of the apps were affected by medium to no severity. eScan also advises every app developer to test their apps and act in favour of ensuring that their users/data are protected.

  • Transportation – Goibibo, Yatra, MakeMyTrip, Airbnb, IRCTC, Uber, OLA
  • Wallets – PayTM, JioMoney
  • Social – WhatsApp, Facebook, Facebook Messenger, Twitter, Telegram
  • Shopping – Amazon, Amazon Prime Video, Flipkart, SnapDeal
  • Secure Documents – DigiLocker

Consequences

The eScan research findings make it clear that the MIUI flaws aren’t neglectable. A user might lose his data, money and privacy with these unintentional flaws in their system apps, and is a violation of norms by the manufacturer. eScan also mentions that neither manufacturers nor developers do proper documentation of the data they collect from users under the garb of statistics.

Xiaomi’s Response

Xiaomi responded to the research allegation and said that they encourage users to set PIN, Pattern, or fingerprint locks as a standard step when setting up the device. They also mentioned that the Mi Mover needs a PIN for the transfer to initiate, (however we didn’t notice any). They added that any perpetrator who gains physical access to an unlocked phone, is capable of malicious activity and is greatly at risk of user data being stolen.

Remediation Suggested

App developers must implement the following features to overcome the flaw introduced through the usage of MI-Mover and Backup apps relying on rooted devices.

  • Device Verification at every Launch.
  • Auto Lock Sessions and Authenticated Session termination.
  • When Device change is detected,
    a. Request Access Credentials and compare them with the credentials stored on the server.
    b. Initiate Registration process.
  • Audit Trail of Access and Login Notification.
  • Security Apps and Android For Work App developers should specifically test all the functionalities of their apps on Xiaomi devices.

Device owners, administrators or end users should consider the following guidelines.

  • Do not use MI-Mover to share apps, but should rely on ShareIT or Xender or any other file/app sharing applications.
  • Do not enable Smart-Lock, which can automatically unlock your device.
  • Update with the latest patch from Xiaomi.
  • Validate the features of Security Apps and Android for Work Apps

Above all Xiaomi should come forward with the update patch fixing these vulnerabilities or flaws as soon as possible. So, if you own a Mi device, kindly follow the remedies or guidelines for your safety. Also, do check out the latest features implemented in Xiaomi’s MIUI 9. Hope this write up helped you to get an idea of eScan’s research, Peace!