Xiaomi has sold millions of smartphones in India in the past few years and has even managed to attain number one smartphone brand slot for straight 6 quarters, as per IDC reports. At the time when there is a tremendous demand for Xiaomi phones in India, a new report on a possible flaw in pre-installed default ‘Security’ app has been published by Israeli cyber-security research firm.
The cybersecurity firm Check Point recently discovered a flaw in a pre-installed app that was meant to detect and protect Xiaomi phones from malware attacks in the first place.
The report explains the security flaw in full details. According to the Check Point report, the traffic to and from ‘Guard Provider’ (com.miui.guardprovider) is not encrypted which leaves a potential to carry out a Man-in-the-Middle (MiTM) attack when connected to the same network.
The research firm identified the integration of Xiaomi’s pre-installed app uses three different third-party Software Development Kits namely Avast, AVL and Tencent. Out of the three Avast and AVL are antivirus protection while Tencent SDK cleans and boosts phones performance.
The cause of potential threat here is that all three apps are bundled together, therefore, they all share the same app permissions. The disadvantage of it is that if one SDK update is injected with a rogue code it could impact an attack on the other two SDKs as well.
The vulnerability has limited impact and should be fixed in a future update. But still, any attack based on this flaw could result in compromised inbound and outbound internet traffic. Lack of encryption also means an attacker could effectively gain control over the victim’s phone. Xiaomi is yet to release a statement on this issue. Once Xiaomi puts out a statement in public we will add it to this report.